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Abstract 

The Probabilistic I/O Automaton model of [20] is used as the basis for a formal pre- 
sentation and proof of the randomized consensus algorithm of Aspnes and Herlihy. The 
algorithm guarantees termination within expected polynomial time. 

The Aspnes-Herlihy algorithm is a rather complex algorithm. Processes move through a 
succession of asynchronous rounds, attempting to agree at each round. At each round, the 
agreement attempt involves a distributed random walk. The algorithm is hard to analyze 
because of its use of nontrivial results of probability theory (specifically, random walk 
theory), because of its complex setting, including asynchrony and both nondeterministic 
and probabilistic choice, and because of the interplay among several different sub-protocols. 

We formalize the Aspnes-Herlihy algorithm using probabilistic I/O automata. In doing 
so, we decompose it formally into three subprotocols: one to carry out the agreement 
attempts, one to conduct the random walks, and one to implement a shared counter needed 
by the random walks. Properties of all three subprotocols are proved separately, and 
combined using general results about automaton composition. It turns out that most of 
the work involves proving non-probabilistic properties (invariants, simulation mappings, 
non-probabilistic progress properties, etc.). The probabilistic reasoning is isolated to a few 
small sections of the proof. 

The task of carrying out this proof has led us to develop several general proof techniques 
for probabilistic I/O automata. These include ways to combine expectations for different 
complexity measures, to compose expected complexity properties, to convert probabilistic 
claims to deterministic claims, to use abstraction mappings to prove probabilistic proper- 
ties, and to apply random walk theory in a distributed computational setting. We apply 
all of these techniques to analyze the expected complexity of the algorithm. 

This paper is written in memory of Anna Pogosyants, who died in a car crash in December 
1995 while working on this project for her Ph.D. dissertation. 
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1 Introduction 

With the increasing complexity of distributed algorithms there is an increasing need for math- 
ematical tools for analysis. Although there are several formalisms and tools for the analysis of 
ordinary distributed algorithms, there are not as many powerful tools for the analysis of ran- 
domization within distributed systems. This paper is part of a project that aims at developing 
the right math tools for proving properties of complicated randomized distributed algorithms 
and systems. The tools we want to develop should be based on traditional probability theory, 
but at the same time should be tailored to the computational setting. Furthermore, the tools 
should have good facilities for modular reasoning due to the complexity of the systems to which 
they should be applied. The types of modularity we are looking for include parallel composition 
and abstraction mappings, but also anything else that decomposes the math analysis. 

We develop our tools by analyzing complex algorithms of independent interest. In this 
paper we analyze the randomized consensus algorithm of Aspnes and Herlihy [5], which guar- 
antees termination within expected polynomial time. The Aspnes-Herlihy algorithm is a rather 
complex algorithm. Processes move through a succession of asynchronous rounds, attempting 
to agree at each round. At each round, the agreement attempt involves a distributed random 
walk. The algorithm is hard to analyze because of its use of nontrivial results of probability 
theory (specifically, random walk theory), because of its complex setting, including asynchrony 
and both nondeterministic and probabilistic choice, and because of the interplay among several 
different sub-protocols. 

We formalize the Aspnes-Herlihy algorithm using probabilistic I/O automata [20]. In doing 
so, we decompose it formally into three subprotocols: one to carry out the agreement attempts, 
one to conduct the random walks, and one to implement a shared counter needed by the random 
walks. Properties of all three subprotocols are proved separately, and combined using general 
results about automaton composition. It turns out that most of the work involves proving non- 
probabilistic properties (invariants, simulation mappings, non-probabilistic progress properties, 
etc.). The probabilistic reasoning is isolated to a few small sections of the proof. 

The task of carrying out this proof has led us to develop several general proof techniques 
for probabilistic I/O automata. These include ways to combine expectations for different com- 
plexity measures, to compose expected complexity properties, to convert probabilistic claims 
to deterministic claims, to use abstraction mappings to prove probabilistic properties, and 
to apply random walk theory in a distributed computational setting. We apply all of these 
techniques to analyze the expected complexity of the algorithm. 

Previous work on verification of randomized distributed algorithms includes [18], where 
the randomized dining philosophers algorithm of [13] is shown to guarantee progress with 
probability 1, [15, 19], where the algorithm of [13] is shown to guarantee progress within 
expected constant time, and [2], where the randomized self- stabilizing minimum spanning tree 
algorithm of [3] is shown to guarantee stabilization within an expected time proportional to 
the diameter of a network. The analysis of [18] is based on converting a probabilistic property 
into a property of some of the computations of an algorithm (extreme fair computations); the 



analysis of [15, 19, 2] is based on part of the methodology used in this paper. Other work is 
based on probabilistic model checking (e.g, [21, 11]). 

Prior to the algorithm of Aspnes and Herlihy, the best known randomized algorithm for 
consensus with shared memory was due to Abrahamson [1]. The algorithm has exponential 
expected running time. The algorithm of Aspnes and Herlihy was improved by Attiya, Dolev, 
and Shavit [6] by eliminating the use of unbounded counters needed for the random walk. 
Further improvements were proposed by Aspnes [4], and by Dwork, Herlihy, Plotkin, and 
Waarts [7]. The best known algorithm [7] runs in an expected 0(n(p 2 + n)) total atomic 
register operations, where n is the number of processes and p is the number of processes that 
participate in the consensus protocol. 

The rest of the paper is organized as follows. Section 2 presents the basic theoretical 
tools for our analysis, including probabilistic I/O automata, abstract complexity measures, 
progress statements and refinement mappings; Section 3 presents a coin lemma for random 
walks and a result about the expected complexity of a random walk within a probabilistic I/O 
automaton; Section 4 presents the algorithm of Aspnes and Herlihy and describes formally 
the module that carries out the agreement attempts; Sections 5 and 6 prove that the Aspnes- 
Herlihy algorithm satisfies the validity and agreement properties; Section 7 proves several 
progress properties of the algorithm that are not based on any probabilistic argument; Section 8 
proves the probabilistic progress properties of the algorithm by using the results of Section 7; 
Section 9 builds the module that conducts the random walk; Section 10 builds the shared 
counter needed in Section 9; Section 11 derives the termination properties of the algorithm, 
where the complexity is measured in terms of expected number of rounds; Section 12 studies 
the expected time complexity of the algorithm; Section 13 gives some concluding remarks and 
discusses the kinds of modularization that we use in the proof. 



Part I: The Underlying Theory 



2 Formal Model and Tools 

In this section we introduce the formalism that we use in the paper. We start with ordinary 
I/O automata following the style of [16, 14]; then we move to probabilistic I/O automata 
by adding the input/output structure to the probabilistic automata of [20]. We describe 
methods to handle complexity measures within probabilistic automata, and we present progress 
statements as a basic tool for the complexity analysis of a probabilistic system. Finally, we 
describe verification techniques based on refinements and traces. 

2.1 I/O Automata 

An I/O automaton A consists of five components: 

• a set States(A) of states. 

• a non-empty set Start(A) C States(A) of start states. 

• an action signature Sig(A) = (in(A), out(A), int(A)), where in(A), out (A) and int(A) 
are disjoint sets: in(A) is the set of input actions, out(A) is the set of output actions, 
and int(A) is the set of internal actions. 

• a transition relation Trans(A) C States(A) X Actions(A) X States(A), where Actions(A) 
denotes the set in(A) U out(A) U int(A), such that for each state s of States(A) and each 
input action a of in(A) there is a state s' such that (s,a, s') is an element of Trans(A). 
The elements of Trans(A) are called transitions , and A is said to be input enabled. 

• a task partition Tasks(A), which is an equivalence relation on int(A) U out(A) that has 
at most countably many equivalence classes. An equivalence class of Tasks(A) is called 
a task of A. 

In the rest of the paper we refer to I/O automata as automata. 

A state s of A is said to enable a transition if there is a transition (s, a, s') in Trans(A); an 
action a is said to be enabled from s if there is a transition (s,a, s') in Trans(A); a task T of 
A is said to be enabled from s if there is an action a £ T that is enabled from s. 

An execution fragment of an automaton A is a sequence a of alternating states and actions 
of A starting with a state, and, if a is finite, ending with a state, a = soaiSia2 s 2--- 5 such that 
for each i > there exists a transition (s 8 -, a;+i, s;+i) of A. Denote by fstate(a) the first state 
of a and, if a is finite, denote by Istate(a) the last state of a. Denote by frag*(A) the set of 



finite execution fragments of A. An execution is an execution fragment whose first state is a 
start state. 

An execution fragment a is said to be fair iff the fohowing conditions hoid for every task 
T of A: 

1. if a is finite then T is not enabled in Istate(a); 

2. if a is infinite, then either actions from T occur infinitely many times in a, or a contains 
infinitely many occurrences of states from which T is not enabled. 

A state s of A is reachable if there exists a finite execution of A that ends in s. Denote by 
rstates(A) the set of reachable states of A. A property (f> of states is said to be stable for an 
execution fragment a = so a i s i • • • if , once (f> is true, (f> remains true in all later states. That is, 
for every i > 0, (f>(si) => Vj>;<£(sj). 

A finite execution fragment a\ = so a i s i • • -a n s n of A and an execution fragment a.^ = 
s n a n+ is n+ i ■ ■ ■ of A can be concatenated . The concatenation, written a\ ~ a.^, is the execution 
fragment so a i s i • • •a n s n a ra+i s ra+i • • •• An execution fragment a.\ of A is a prefix of an execution 
fragment a.^ of A, written a.\ < ai, iff either a.\ = a.^ or a.\ is finite and there exists an execution 
fragment a[ of A such that a 2 = «i ~ o! x . If a = a\ ~ a.^, then a 2 is called a suffix of a, and 
it is denoted alternatively by a>a\. 

2.2 Probabilistic I/O Automata 

2.2.1 Preliminaries on Probability Theory 

A probability space is a triplet (0, J 7 , P) where 

1. is a set, also called the sample space, 

2. F is a collection of subsets of that is closed under complement and countable union 
and such that £ F, also called a a- field, and 

3. P is a function from F to [0, 1] such that P[0] = 1 and such that for any collection {C;}; 
of at most countably many pairwise disjoint elements of F, P[U 8 C 8 ] = ^2,^P\Ci\. 

The pair (0, P) is called a measurable space, and the measure P is called a probability measure. 

A probability space (0,P, P)is discrete if P = 2 fi and for each C C 0, P[C] = X^eC P[*!p}]- 
For any arbitrary set X, let Probs(X) denote the set of discrete probability distributions whose 
sample space is a subset of X and such that all the elements of the sample space have a non-zero 
probability. 

A function / : Oi — ► O2 is said to be measurable from (Oi,Pi) to (O25P2) if f° r each 
P £ P27 / _1 (P) £ Pi- Given a probability space (S7i,Fi,Pi), a measurable space (f^pj), 
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and a measurable function / from (Oi, T\) to (O2? ^2)? let /(-Pi), the image measure of Pi, 
be the measure defined on (fi 2 ,.F 2 ) as follows: f° r each P G -P 2 , f{P\){E) = Pi(/ _1 (P)). 
Standard measure theory arguments show that (S7 2 ,.F 2 , P2) is a probability space. If (0, .F, P) 
is discrete, then we can define f{{Sl,F,P)) as (/(ft),2^( fi ), /(P)). 

For notational convenience we denote a probability space (0, .F, P) by P. We also use 
primes and indices that carry over automatically to the components of a probability space. 
Thus, for example, V[ denotes (S7',F', P 8 '). 

Given a probability space V and a set X , we abuse notation and we write P[X] even if 
X contains elements that are not in S7. By writing P[X] we mean implicitly P[X P\ 0]. Also, 
given an element x, we write P[s] for P[{a;}]. 

Given two discrete probability spaces V\ and P 2 , define the product V\ ® V2 of V\ and V2 to 
be the triplet (Oi X 2 , 2 filX " 2 , P x ® P 2 ), where, for each {x 1 ,x 2 ) G Oi xfi 2 , Pi ® PjK^i, £2)] = 
Pi[xi]P 2 [x2}. 

We conclude with some notions about random variables that are needed in some of the 
proofs of our results. Let (!R, Fsr) be a measurable space with the real numbers as sample 
space. Given a probability space V, a random variable X for V is a measurable function from 
(i7,F) to (!R, J-^st). As an example, a random variable could be the function that expresses the 
complexity of each element of S7. It is possible to study the expected value of a random variable, 
that is, the average complexity of the elements of 0, as follows: E[X] = X^efi X(x)P[x]. A 
useful property of expected values is the following. 

Proposition 2.1 Let V be a probability space and let X be a random variable for V . For 
i > 0, let the expression X > i denote the event {x G | X(x) > i}. 

1. If the range of X is the set of natural numbers, then E[X] = ^2i >0 P[X > i]. 

2- E[X]>^ >0 P[X>i\. 

Proof. For i > 0, let the expression X = i denote the event {x G fi | X(x) = i}. If the 
range of X is the set of natural numbers, then the expression for E[X] can be rewritten as 
E[X] = ^2i >0 iP[X = i]. That is, E[X] is a sum of terms such that each term P[X = i] 
appears i times. By rearranging the terms we obtain E[X] = 2,->o Ei>i ^[^ = iL that is, 
E[X] = Ysi>o P[X > i]. This proves the first item. For the second item, let X be defined as 
follows: for each x G fi, X(x) = \_X(x)\ . It is easy to show that X is a random variable. From 
the definition of X, E[X] > E[~X] and for each i > 0, P[X > i] = P[X > i]. Thus, using item 
1, E[X] > E[X] = J2 t>0 P[X>z] = J2 t>0 P[X > i]. m 

2.2.2 Probabilistic I/O Automata 

A probabilistic I/O automaton M consists of five components: 
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• a set States(M) of states. 

• a non-empty set Start (M) C States(M) of start states; 

• an action signature Sig(M). 

• a transition relation Trans(M) C States(M) X Actions(M) X Probs(States(M)) such that 
for each state s of States(M) and each input action a of in(M) there is a distribution V 
such that (s,a,V) is an element of Trans(M). We say that M is input- enabled. 

• a task partition Tasks(M), which is an equivalence relation on int(M) U out(M) that 
has at most countably many equivalence classes. 

In the rest of the paper we refer to probabilistic I/O automata as probabilistic automata. 

Execution fragments and executions are defined similarly to the non-probabilistic case. An 
execution fragment of M is a sequence a of alternating states and actions of M starting with 
a state, and, if a is finite ending with a state, a = soaiSia2 s 2--- 5 such that for each i > there 
exists a transition (si,a,i+i,V) of M such that s 8 _|_i £ S7. All the terminology that is used for 
executions in the non-probabilistic case applies to the probabilistic case as well. 

2.2.3 Probabilistic Executions 

An execution fragment of M is the result of resolving both the probabilistic and the nonde- 
terministic choices of M. If only the nondeterministic choices are resolved, then we obtain a 
structure similar to a cycle-free Markov chain, which we call a probabilistic execution fragment 
of M. From the point of view of the study of algorithms, the nondeterminism is resolved by 
an adversary that chooses a transition to schedule based on the past history of the system. A 
probabilistic execution is the result of the action of some adversary. A probabilistic execution 
can be thought of as the result of unfolding the transition relation of a probabilistic automaton 
and then choosing one transition for each state of the unfolding. We also allow an adversary to 
use randomization in its choices, that is, a transition to be chosen probabilistically. This models 
the fact that the environment of a probabilistic automaton may provide input randomly. 

Formally, a probabilistic execution fragment H of a probabilistic automaton M consists of 
four components. 

• a set of states States(H) C frag*(M); let q range over the states of H; 

• a signature Sig(H) = Sig(M); 

• a singleton set Start(H) C States(M); 

• a transition relation Trans(H) C States(H)x Probs((Actions(H)x States(H))U{S}) such 
that for each transition {q,V) of H there is a family {(Istate(q), ai,Vi)}i>o of transitions of 
M and a family {pi}i>o of probabilities satisfying the following properties: ^2 i>0 Pi < 1, 
P[8] = 1 — ^ 1>0 |)i, and for each action a and state s, P[(a,qas)] = ^2i\ a=a PiPi[s]- 
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Furthermore, each state of H is reachable, where reachability is defined analogously to the 
notion of reachability for probabilistic automata after defining an execution of a probabilistic 
execution fragment in the obvious way. A probabilistic execution if of a probabilistic automaton 
M is a probabilistic execution fragment of M whose start state is a state of Start(M). 

A probabilistic execution is like a probabilistic automaton, except that within a transition 
it is possible to choose probabilistically over actions as well. Furthermore, a transition may 
contain a special symbol 8, which corresponds to not scheduling any transition. In particular, 
it is possible that from a state q a transition is scheduled only with some probability p < 1. In 
such a case the probability of 8 is 1 — p. 

We now define the probability space associated with a probabilistic execution fragment, so 
that its probabilistic behavior can be studied. Given a probabilistic execution fragment H , 
the sample space Q,jj is the limit closure of States(H), where the limit is taken under prefix 
ordering. The <7-field Th is the smallest u-field that contains the set of cones C q , consisting 
of those executions of 0# having q as a prefix. The probability measure Pjj is the unique 
extension of the probability measure defined on cones as follows: Pn[C q ] is the product of 
the probabilities of each transition of H leading to q. It is possible to show that there is a 
unique probability measure having the property above, and thus (0//, Th, Ph) is a well defined 
probability space. The proof is analogous to the proof given in [20] for a similar probability 
space. 

An event E of H is an element of Th- An event E is called finitely satis fiable if it can 
be expressed as a union of cones. A finitely satisfiable event can be represented by a set of 
incomparable states of H , that is, by a set C States(H) such that for each q\,qz G 0, qi ^ qi 
and qi j£ q\. The event denoted by is U ge eCg- We abuse notation by writing Pff[0] for 
Ph [UggeCg]- We call a set of incomparable states of if a cut of if, and we say that a cut 
is full if Pff[0] = 1. Denote by cuts(H) the set of cuts of if, and denote by full-cuts (H) the 
set of full cuts of H . 

An important event of Vh is the set of fair executions of 0#. We define a probabilistic 
execution fragment H to be fair if the set of fair executions has probability 1 in Vh- 

We conclude by extending the > operator to probabilistic execution fragments. Given a 
probabilistic execution fragment if of M and a state g of if , define H\>q (the fragment of H 
given that q has occurred), to be the probabilistic execution fragment of M obtained from H 
by removing all the states that do not have q as a prefix, by replacing all other states q' with 
q'>q, and by defining Istate(q) to be the new start state. An important property of H\>q is the 
following. 

Proposition 2.2 For each state q' of H\>q, PH>q[C q i] = Ph[C q ^ q i]/ Ph[C q ]- ■ 

2.3 Parallel Composition 

Two probabilistic automata M\ and Mi are compatible iff int(Mi) n acts^M?) = and 
acts(Mi) fl int(M2) = 0. The parallel composition of two compatible probabilistic automata 



Mi and M 2 , denoted by Mi || M2, is the probabilistic automaton M such that 

1. States(M) = States (M x ) X States(M 2 ). 

2. Start(M) = Start (M^ X Start(M 2 ). 

3. Sfy(M) = ((m(Mi) U m(M 2 )) - (W(M X ) U ouf(M 2 )), (mf(Mi) U int(M 2 )), (W(M X ) U 

0^(M 2 ))). 

4. ((si,s 2 ),a,P) G Trans(M) \EV = V 1 ®V 2 where 

(a) if a G Actions(M\) then (si,a,Pi) G Trans(Mi), else Pi = ZY(si), and 

(b) if a G Actions(M 2 ) then (s 2 ,a,V 2 ) G Trans(M 2 ), else P 2 = U{s 2 ), 

where ZY(s) denotes a probability distribution over a single state s. Informally, two probabilis- 
tic automata synchronize on their common actions and evolve independently on the others. 
Whenever a synchronization occurs, the state that is reached is obtained by choosing a state 
independently for each of the probabilistic automata involved. 

In a parallel composition the notion of projection is one of the main tools to support 
modular reasoning. A projection of an execution fragment a onto a component in a parallel 
composition context is the contribution of the component to obtain a. Formally, let M be 
Mi || M 2 , and let a be an execution fragment of M. The projection of a onto M 8 -, denoted by 
a\Mi, is the sequence obtained from a by replacing each state with its i th component and by 
removing all actions that are not actions of M 8 - together with their following state. It is the 
case that a\Mi is an execution fragment of M 8 -. 

The notion of projection can be extended to probabilistic executions (cf. Section 4.3 of 
[20]). Here we do not present the formal definition of projection; rather, we present some 
properties of a projection that are needed for our analysis, and we refer the reader to [20] for 
a more detailed description. Given a probabilistic execution fragment H of M, it is possible 
to define an object H\Mi, which is a probabilistic execution fragment of M 8 - that informally 
represents the contribution of M 8 - to H. The states of H\Mi are the projections onto M 8 - of 
the states of H . The most important fact is that the probability space associated with H\Mi 
is the image space under projection of the probability space associated with H. This property 
allows us to prove probabilistic properties of H based on probabilistic properties of R\M{. 

Proposition 2.3 Let M be M\ || M 2 , and let H be a probabilistic execution fragment of M . 
Let i G {1,2}. Then £t H \M t = {a\M % \ a G £Ih}, and for each G Th\Mh PH\M t [®] = 

p H [{aen H \a\MieO}]. ■ 



2.4 Complexity Measures 

A complexity function is a function from execution fragments of M to !R-°. A complexity 
measure is a complexity function (f> such that, for each pair a\ and a.^ of execution fragments 
that can be concatenated, max(cj)(ai), ^(0:2)) < <^(cii ~ CI2) < ^(^l) + <f>(ot2). 

Informally, a complexity measure is a function that determines the complexity of an ex- 
ecution fragment. A complexity measure satisfies two natural requirements: the complexity 
of two tasks performed sequentially should not exceed the complexity of performing the two 
tasks separately and should be at least as large as the complexity of the more complex task; it 
should not be possible to accomplish more by working less. In this section we present several 
results that apply to complexity functions; later in the paper we present results that apply 
only to complexity measures. 

2.4.1 Expected Complexity 

Consider a probabilistic execution fragment H of M and a finitely satisfiable event of Tu ■ 
Informally, the elements of represent the points where the property denoted by is satisfied. 
Let (f> be a complexity function. Then, we can define the expected complexity (f> to reach in 
H as follows: 

EAH,G>] = \^ q ee4>(M)P H [C q ] ifP ff [0] = l 
I 00 otherwise. 

Complexity functions on full cuts enjoy several properties that are typical of random variables 
[8]. That is, if is a full cut, then H induces a probability distribution V® over the states 
of 0. In such case, (f> is a random variable and E^H, 0] is the expected value of the random 
variable. 



2.4.2 Linear Combination of Complexity Functions 

If several complexity measures are related by a linear inequality, then their expected values over 
a full cut are related by the same linear inequality (cf. Proposition 2.4). We use this property 
for the time analysis of the protocol of Aspnes and Herlihy. That is, we express the time 
complexity of the protocol in terms of two other complexity measures (rounds and elementary 
coin flips), and then we use Proposition 2.4 to derive an upper bound on the expected time 
for termination based on upper bounds on the expected values of the other two complexity 
measures. The analysis of the other two complexity measures is simpler, and the relationship 
between time and the other two complexity measures can be studied using known methods for 
ordinary nondeterministic systems, with no probability involved. 

Proposition 2.4 Let H be a probabilistic execution fragment of some probabilistic automaton 
M, and let be a full cut of H. Let (f>,(f>i,(f>2 be complexity functions, and C\,C2 be two 
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constants such that, for each a £ 0, (f>(a) < c\<f)i(a)-\-c 2 <f) 2 (a). Then E^H , Q] < ciE c f >1 [H,Q] + 
c 2 E^[H,Q}. 

Proof. From the definition of E^H, 0] and the relationship between (f>, (f>i, and cj) 2 , 

E^H, 0] < J>i<M?) + c 2 H.q))P H [C q ]. 
gee 

By a simple algebraic manipulation, 

E^H, 0] < Cl Y, 4>MP H [C q ] + c 2 Y, Hq)PH[C q }. 
gee gee 

The two sums above coincide with the definitions of E^H, 0] and E^H, 0], respectively. 
Thus, E^H, 0] < aEfr [H, 0] + c 2 E^ 2 [H, 0]. ■ 

2.4.3 Computation Subdivided into Phases 

In this section we study a property of complexity functions that becomes useful whenever 
a computation can be divided into phases. Specifically, suppose that in a system there are 
several phases, each one with its own complexity, and suppose that the complexity associated 
with each phase remains until the phase starts. Suppose that the expected complexity of 
each phase is bounded by some constant c. If we know that the expected number of phases 
that start is bounded by k, then the expected complexity of the system is bounded by ck. The 
difficult part of this result is that several phases may run concurrently. 

The protocol of Aspnes and Herlihy works in rounds. At each round a special coin flipping 
protocol is run, and the coin flipper flips a number of elementary coins (elementary coin flips). 
The expected number of elementary coin flips is bounded by some known value c independent 
of the round number. We also know an upper bound k on the expected number of rounds 
that are started. If we view each round as a phase, then Proposition 2.5 below says that the 
expected number of elementary coin flips is upper bounded by ck. 

Proposition 2.5 Let M be a probabilistic automaton. Let (f>i, cj) 2 , fa, . . . be a countable col- 
lection of complexity measures for M , and let (f>' be a complexity function defined as (j)'(a) = 
S;>o < M Q 0- Let c be a constant, and suppose that for each fair probabilistic execution fragment 
H of M , each full cut of H , and each i > 0, E^ t [H, 0] < c. 

Let H be a probabilistic fair execution fragment of M , and let (f> be a complexity measure 
for M . For each i > 0, let 8 - be the set of minimal states q of H such that 4>{q) > i. Suppose 
that for each q £ 8 -, (f>i(q) = 0, and that for each state q of H and each i > (f>(q), (f>i(q) = 0. 

Then, for each full cut of H , E^[H, 0] < cE^H, 0]. 
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Proof. From the definition of (f>' , 

Since for each q £ © and each i > (f>(q), (f>i(q) = 0, Equation (1) can be rewritten as 

E^H, 0] = E (<M?) + ■■■ + hmi^)) p H[C q ], 
gee 

which can be rearranged into 



E ct ,[H,Q] = Y / [ E Ul)PH[C q 

i>0 \qe&\<f>(q)>i 

For each i > 0, let rji denote the set of minimal states q of H that are prefixes of some element 
of and such that (f>(q) > i. Then, by breaking the inner summation of Equation (3), 



E^H, ©] = E E P ^ E M)PH[C q ,]lP H [C q ] . (4) 

i>0 \qevi \g'ee|g< g ' / / 

Since for each q G rji, 4>i{q) = (r]i C 8 ) the innermost expression of the right hand side of 
Equation (4) is E ( f >i [H>q, (0 P\ C q )>q]. Since H\>q is a fair probabilistic execution fragment of 
M as well, E (f>i [H>q, (0 l~l C q )>q] < c. Thus, 



^[^,0]<E(E cP ^[^])' 
j>0 VgGi), / 



(5) 



and since Y, q e m p H[C q ] = Pff [?/;], 

^'[#,©]<E P ^ C - ( 6 ) 



8>0 



Observe that Ph\jh\ is the probability that (f> is at least i in 0. Recall also that (f> is a 
random variable for the probability space identified by 0. Thus, by Proposition 2.1, part 2, 
Eoo p H [Vi] < E A H > L and b y substituting in (5), E^[H, 0] < cE^H, 0]. ■ 
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2.4.4 Complexity Functions and Parallel Composition 

To verify properties in a modular way it is useful to derive complexity properties of complex 
systems based on complexity properties of the single components. Proposition 2.6 helps in 
doing this. 

Proposition 2.6 Let M be Mi \\ Mi, and let i £ {1,2}. Let (f> be a complexity function for 
M , and let 4>i be a complexity function for M 8 -. Suppose that for each finite execution fragment 
a of M , (f>(a) = (f>i(a\Mi). Let c be a constant. Suppose that for each probabilistic execution 
fragment H of Mi and each full cut of H , E^fiT, 0] < c. Then, for each probabilistic 
execution fragment H of M and each full cut of H , E^H, 0] < c. 

Proof. Let if be a probabilistic execution fragment of M, and let Hi denote H\Mi. Let be 
a full cut of H . Build a discrete probability space Vi as follows: 0,- = {q\Mi \ q £ 0}, and for 
each q' £ 0,-, Pi[q'] = Ph[{q & © I q\Mi = q 1 }]. We prove first that the probability space Vi is 
a fringe of Hi as defined in [20], where a fringe of Hi is a probability distribution V over the 
states of Hi such that, for each state q of if 8 -, ^ 7> P[q] < PH t [C q ]. 

Consider a state q of Hi. Then, from the definition oiVi, Yl, q '> q Pi[q'] = Yl,q'e&\q'\M t >q ^H [C q i 
Since is a cut of H , the right expression above is PH[^ q 'e&\q'lM t >qCg']- Furthermore, the 
event ^ q '^Q\q l \M l >qC q ' is a subset of the inverse image under projection of C q . Thus, by 
Proposition 2.3, Xv> 9 -^ >8 '[^'] — -^H t [C q ]. This completes the proof that Vi is a fringe. 

Let EfclHijVi] denote ^ efi . (f>j(q)Pj[q\. Then, since for each finite execution fragment a of 
M, 4>{a) = (f>i(a\Mi), we derive E^H, 0] = E <t>i [H l ,V l }. We need to show that E <t>i [H l ,V l ] < c. 

Suppose for the sake of contradiction that E^ t \Hi,V^\ > c. Then there is a constant k > 
such that X^offi UenathtciXk ^'(^-^'M > c - Consider the full cut 0^ of Hi containing all the 
states q of Hi with lengFh k and all the elements of 0# ; with length less than k. Then, by 
definition of Q k , Y, q en,\iength( q )<kMl) p M] < E^H^Qk]. This means that E^H^Qk] > c, 
contradicting the hypothesis that E^^Hi, 0^] < c. ■ 

The converse of Proposition 2.6 does not hold in general. In fact, even though for each 
probabilistic execution fragment H of M and each full cut of H , E^H, 0] < c, there could be 
a probabilistic execution fragment H' of Mi and a full cut 0' of H' such that E^^H', 0'] > c. 
As an example, H' could be the projection of no probabilistic execution fragment of M. If 
i = 1, then H' could be a probabilistic execution fragment resulting from the interaction with 
an environment that Mi does not provide. 

2.5 Probabilistic Complexity Statements 

A probabilistic complexity statement is a predicate that can be used to state whether all the 
fair probabilistic executions of a probabilistic automaton guarantee some reachability property 
within some time t with some minimum probability p. Probabilistic complexity statements 
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essentially express partial progress properties of a probabilistic system. Such partial progress 
properties can then be used to derive upper bounds on the expected complexity for progress. 

Probabilistic complexity statements can also be decomposed into simpler statements, thus 
splitting the progress properties of a randomized system into progress properties that either 
are simpler to analyze or can be derived by analyzing a smaller subcomponent of the system. 

Progress statements are introduced in [15, 19, 20]. In this section we specialize the theory 
of [20] to fair schedulers. 

2.5.1 Probabilistic Complexity Statements 

A probabilistic complexity statement is a predicate of the form U -^* U 1 , where U and U' 

v 
are sets of states, (f> is a complexity measure, and c is a nonnegative real number. Informally, 

the meaning of U — =-* U' is that starting from any state of U, under any fair scheduler, the 

probability of reaching a state from U' within complexity c is at least p. The complexity of an 
execution fragment is measured according to (f>. 

Definition 2.7 Let M be a probabilistic I/O automaton, U, U 1 C States(M), ceS, and (f> 

be a complexity measure. Then U —^+ U 1 is a predicate that is true for M iff for each fair 

v 

probabilistic execution fragment H of M that starts from a state of U, Ph[ztj ' Mc)(H)] > p, 
where ejji^ c \(H) denotes the set of executions a of Q,jj with a prefix a 1 such that (f>(ot') < c 
and Istate(a') £ U'. ■ 

The fair probabilistic execution fragments of a probabilistic automaton enjoy a property that 
in [20] is called finite history insensitivity . Thus, using a result of [20], the following holds, 
which permits us to decompose a progress property into simpler progress properties. 

Proposition 2.8 Let M be a probabilistic automaton, and let U,U',U" C States(M). Let (f> 
be a complexity measure. Then, 



1. ifU-^U' and U' *M U", then U *^i c ' U"; 

P r p' pp' 

2. if U -^ U', then U U U" -^ U' UU". ■ 

v v 

l.h.1 From Probabilistic Complexity Statements to Expected Complexity 

In this section we show how to use probabilistic complexity statements to derive properties 
about expected complexities. In the analysis of the protocol of Aspnes and Herlihy we use 
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the result of this section to study the expected number of rounds that the protocol needs to 
terminate. 

Let M be a probabilistic automaton, and let U, U' C States(M). We denote by U =>■ 
UunlessU 1 the predicate that is true for M iff for every execution fragment sets' of M, s £ 
U — U' =>■ s' G PU [/"'. Informally, [7 =>■ UunlessU' means that, once a state from U is 
reached, M remains in U unless U' is reached. 

For each probabilistic execution fragment H of M, let Qu'{H) denote the set of minimal 
states of H where a state from U' is reached. That is, Qu'(H) represents the event that 
contains all those executions of Q,jj where a state from U' is reached. The following theorem, 
which is an instantiation of a more general result of [20], provides a way of computing the 
expected complexity for satisfying Qu'{H). 

Theorem 2.9 ([20]) Let M be a probabilistic automaton and (f> be a complexity measure for 
M . Let r be a real number such that for each execution fragment of M of the form sas' , 
4>(sas') < r, that is, each transition of M can increase the complexity (f> by at most r. Let U 
and U' be sets of states of M . Let H be a probabilistic execution fragment of M that starts from 
a state of U , and suppose that for each state q of H such that Istate(q) £ U some transition 
is scheduled with probability 1 (i.e., the probability of S in the transition enabled from q in H 
is 0). Furthermore, suppose that 

1. U -^ U' and 

v 

2. U =>• UunlessU' . 

Then, E^H.Qu^H)] < (c + r)/p. 

Proof outline. 

We omit the proof that Ph[®u'(H)] = 1- Consider the cut = ®u> U c +r 5 where Qu> is 
the subset of Qu'(H) of states q with (f>(q) < c, and c +r is the set of minimal states q of H 
such that (f>(q) > c + r and such that no proper prefix of q is in Qiji(H) (cf. Figure 1). Since 
Ph[®U'(H)] = 1, is a full cut. Then, from Item 1, Ph[®U'] ^ P- From Item 2, all the states 
of c +r are still elements of U, and thus the experiment above can be repeated from those 
points. Each experiment takes c + r complexity units. Since we repeat a binary experiment 
until it succeeds, and since each time the probability of success is at least p, we expect to 
repeat the experiment 1/p times before being successful. Thus, the expected complexity for 
reaching U' is at most (c + r)/p. 

It may be surprising to see that we start new experiments every c + r complexity units 
rather than every c units. This is because 0{// U C would not be a cut if H contains a 
transition that leaves from a c-complexity state and reaches a state from U' with probability 
p' and a c + r-complexity state with probability 1 — p' . For the fully detailed proof and for a 
more general result the reader is referred to [20]. ■ 
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Figure 1: Computation of the expected time from U to U' . 



2.5.3 How to Verify Probabilistic Complexity Statements 

A useful technique to prove the validity of a probabilistic complexity statement U —=+ U 1 for 

v 
a probabilistic automaton M is the following. 

1. Choose a set of random draws that may occur within a probabilistic execution of M, and 
choose some of the possible outcomes; 

2. Show that, no matter how the nondeterminism is resolved, the chosen random draws give 
the chosen outcomes with some minimum probability p; 

3. Show that whenever the chosen random draws give the chosen outcome, a state from U' 
is reached within c units of complexity (f>. 

This technique corresponds to the informal arguments of correctness that appear in the litera- 
ture. Usually the intuition behind an algorithm is exactly that success is guaranteed whenever 
some specific random draws give some specific results. 

The first two steps can be carried out using the so-called coin lemmas [20], which provide 
rules to map a stochastic process onto a probabilistic execution and lower bounds on the 
probability of the mapped events based on the properties of the given stochastic process; the 
third step concerns non-probabilistic properties and can be carried out by means of any known 
technique for non-probabilistic systems. Coin lemmas are essentially a way of reducing the 
analysis of a probabilistic property to the analysis of an ordinary nondeterministic property. 
The importance of coin lemmas is also in the fact that a common source of errors in the analysis 
of a randomized algorithm is to map a probabilistic process onto a probabilistic execution in 
the wrong way, or, in other words, to believe that a probabilistic automaton always behaves 
like some defined probabilistic process while the claim is not true. In Section 3 we present a 
coin lemma that deals with random walks. 
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2.6 Refinement Mappings and Traces 

A common verification technique consists of specifying a system as an I/O automaton or a 
probabilistic I/O automaton and then building an implementation of the specification. Typ- 
ically the notion of implementation is identified by some form of language inclusion. The 
important fact is that the interesting properties of a specification are preserved by the notion 
of implementation, that is, whenever a property is true for the specification, such property is 
true for the implementation as well. In this section we provide the pieces of the technique that 
we use for the analysis of the algorithm of Aspnes and Herlihy. More details can be found in 
[16, 17, 20]. 

2.6.1 Traces and Trace Distributions 

Trace and trace distributions are abstractions of the behavior of automata and probabilistic 
automata, respectively, that are based only on the sequences of external actions that the 
automata can provide. Several times, as is the case for the algorithm of Aspnes and Herlihy, 
the interesting properties of a system can be expressed in terms of trace and trace distributions. 
In such cases it is possible to use traces and trace distributions for the analysis and in particular 
to use the related proof techniques. 

Let a be an execution of an automaton A. The trace of a, denoted by trace(a), is the 
ordered sequence of the external actions that appear in a. Denote a generic trace by (3. A 
trace is fair if it is the trace of a fair execution. Denote by traces(A) the set of traces of A 
and by ftraces(A) the set of fair traces of A. 

Let if be a probabilistic execution fragment of a probabilistic automaton M. Let S7 = 
ext(M)* U ext(M) w be the set of finite and infinite sequences of external actions of M. The 
trace distribution of H, denoted by tdistr(H), is the probability space (0, J 7 , P) where T is 
the minimum u-field that contains the set of cones Cp, where (3 is an element of ext(M)*, and 
P = trace^Pfj), that is, for each E £ J 7 , P[E] = Ph[{oi G &h \ trace(a) £ E}]. The fact that 
tdistr(H) is well defined follows from standard measure theory arguments. In simple words, 
a trace distribution is just a probability distribution over traces induced by a probabilistic 
execution. Denote a generic trace distribution by V. A trace distribution of a probabilistic 
automaton M is the trace distribution of one of the probabilistic executions of ill. A trace 
distribution is fair if it is the trace distribution of a fair probabilistic execution. Denote 
by tdistrs(M) the set of trace distributions of M and by ftdistrs(M) the set of fair trace 
distributions of M. 

2.6.2 Refinements 

Denote a transition (s, a, s') by s — ► s' . For a finite sequence a\ ■ ■ -a n let s - — " s' if there is 
a collection of states si, . . . , s n _i such that s — ► si — ► • • • — — ► s n _i — ^ s' . For any external 
action a, let s =>■ s' if there are two finite sequences x,y of internal actions and two states 
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si,S2 such that s — ► si — > S2 — > s' . Let s =>■ s' if there is a finite sequence x of internal 
actions such that s — ► s' . 

Let Ai, A2 be two automata with the same external actions. A refinement from A\ to A2 
is a function h : 5'fafes(Ai) — ► States(A2) such that the following conditions hold. 

1. For each s G Start (Ai), h(s) G Start (A2). 

2. For each transition s — ^ s' of Ai, /i(s) ==^> h(s'). 

That is, A2 can simulate all the transitions of A\ via the refinement function h. An important 
property of a refinement is the following. 

Proposition 2A0 ([17]) Suppose that there exists a refinement from A\ to A^. 

Then traces(A\) C traces(A2) ■ ■ 

A refinement can be defined also for probabilistic automata as follows. Let M\,Mi be two 
probabilistic automata with the same external actions. A probabilistic refinement from M\ to 
M2 is a function h : States(M\) —^ States(M2) such that the following conditions hold. 

1. For each s G Start (M^, h(s) G Start (M 2 ). 

2. For each s -^ V, h(s) ° r ^ 2) h(V). 

In particular, a refinement is a special case of a probabilistic refinement. The following property 
is valid as well. 

Proposition 2A1 ([20]) Suppose that there exists a probabilistic refinement from Mi to M 2 . 
Then tdistrsiM-i) C tdistrs(M 2 ). ■ 

Finally, the existence of refinements is preserved by parallel composition, thus enabling modular 
verification. 

Proposition 2A2 ([20]) Suppose that there exists a probabilistic refinement between two 
probabilistic automata Mi and Mi- Then, for each probabilistic automaton M compatible 
with Mi and Mi, there exists a probabilistic refinement from Mi || M to M2 \\ M. ■ 



2.6.3 The Execution Correspondence Theorem 

Refinements can be used also to show some liveness properties. Specifically, it is possible to 
use refinements to derive fair trace inclusion and fair trace distribution inclusion. Our main 
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technique is based on the execution correspondence theorem [10], which allows us to establish 
close relationships between the executions of two automata. 

We use refinements in the analysis of the shared counter in the algorithm of Aspnes and 
Herlihy. Our analysis is carried out mainly on an abstract specification of the counters. This 
allows us to avoid dealing with unimportant details. 

Let A\ and A 2 be I/O automata with the same external actions and let h be a refinement 
from A\ to A 2 . For an execution fragment a, let \a\ denote the number of actions that occur 
in a. If a is an infinite execution fragment, then |o| is oo. Let a = so«iSi«2 s 2 • • • an d 
a' = uobiUib 2 u 2 • • • be executions of A\ and A 2 , respectively. We say that a and a' are h- 
related, written (a, a') G h, if there exists a total, nondecreasing mapping m : {0, 1, . . . , |o|} — ► 
{0, 1, . . ., \ot'\} such that 

1. m(0) = 0, 

2. h(si) = u m u\ for all < i < |o|, 

3. trace(b m r i _ 1 \ +1 ■ ■ ■b m r i \) = trace(ai) for all < i < |o|, and 

4. for all j, < j < \a'\, there exists an i, < i < \a\, such that m(i) > j. 

Theorem 2.13 ([10]) Let A\ and Ai be automata with the same external actions, and let h 
be a refinement from A\ to Ai . Then, for each execution a\ of A\ there is an execution a.^ of 
Ai such that (01,02) G h. ■ 

The execution correspondence theorem can be used to show fair trace inclusion as follows: 
given (0:1,0:2) G h, show that 02 is fair whenever oi is fair. In this case we also say that h 
preserves the fair executions of A\ . 

The execution correspondence theorem can be extended to the probabilistic case as well 
[20]. We do not write the formal definitions in this paper; however, the following proposition 
can be proved easily from the results about execution correspondence of [20]. 

Proposition 2.14 Let A\, Ai be two I/O automata, and let M be a probabilistic I/O automa- 
ton compatible with A\ and A^. Let h be a refinement from A\ to Ai that preserves the fair- 
executions of A\. Then ftdistrs{A\ || M) C ftdistrs(A2 || M). 

Proof outline. Since h is a refinement from A\ to A2, we can conclude from [20] that 
the following function is a probabilistic refinement from A\ || M to Ai || M: h'(sA 1 ,SM) = 
(h^SAi), sm)- That is, b! coincides with h on the states of A\ and Ai and is the identity function 
on the states of M. Let Hi be a fair probabilistic execution of A\ || M. From the definition 
of //-relation of [20], and from the definition of h' , it is possible to build a fair probabilistic 
execution H 2 of A 2 \\ M such that (H 1 ,H 2 ) G b! . Then, from [20], tdistr{E x ) = tdistr(H 2 ). ■ 
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3 Symmetric Random Walks for Probabilistic Automata 

The correctness of the protocol of Aspnes and Herlihy is based on the theory of random walks 
[8]. That is, some parts of the protocol behave like a probabilistic process known in the 
literature as a random walk. The main problem is to make sure that the protocol indeed 
behaves as a random walk, or better, to make sure that the protocol has the same probabilistic 
properties as a random walk. This is a point where intuition often fails, and therefore we need 
a proof technique that is sufficiently rigorous and simple to avoid mistakes. 

In this section we present a coin lemma for random walks. That is, we show that if we 
choose events within a probabilistic execution fragment according to some specific rules, then 
the chosen events are guaranteed to have properties similar to the properties of random walks. 
Then, by verifying that each one of the chosen events guarantees progress, a non-probabilistic 
property, we can derive probabilistic progress properties of the protocol. 

We start by presenting the theory of random walks followed by a coin lemma for random 
walks. Then we present a result that relates expectations within a random walk to expectations 
within a probabilistic execution. This result is used in the analysis of the protocol of Aspnes and 
Herlihy to study the expected complexity of the coin flipping protocols. Finally, we instantiate 
our new coin lemma to the specific case that we need in the paper. 

3.1 Random Walks 

Let X be a probability space with sample set { — 1,1} that assigns probability p to 1 and 
probability q = (1 — p) to —1. Let RW = (^Irw^rw^Prw) be the probability space built as 
follows. The sample set Qrw is the set { — 1, 1} W of infinite sequences of numbers from { — 1, 1}. 
For each finite sequence x £ { — 1, 1}™, let C x , the cylinder with base x, be the set of elements 
from Qrw with common prefix x, and let Prw[C x ] = p q n ~ , where k is the number of l's 
in x. Then Trw is the minimum u-field that contains the set of cylinders, and Prw is the 
unique extension to Trw of the measure defined on the cylinders. The construction is justified 
by standard measure theory arguments. In other words, RW is a probability space on infinite 
sequences of independent experiments performed according to X. 

Similarly to our probabilistic executions, define an event of Trw to be finitely satisfiable 
if it is a union of cylinders. Furthermore, denote a finitely satisfiable event by a set of 
incomparable finite sequences over { — 1,1}. 

Consider a particle in the real line, initially at position z, and let X describe a move of the 
particle: —1 corresponds to decreasing by 1 the position of the particle, and 1 corresponds to 
increasing by 1 the position of the particle. An element of CIrw describes an infinite sequence 
of moves of the particle. The probability space RW describes a random walk of the particle. 

An important random walk is a random walk with absorbing barriers, that is, a random 
walk that is considered to be successful or failed whenever the particle reaches some specified 
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positions (absorbing barriers) of the real line. Consider two barriers B, T such that B < z < T. 
Then the following events are studied: 

1. the particle reaches T before reaching B; 

2. the particle reaches B before reaching T; 

3. the particle reaches either absorbing barrier. 

Formally, given a starting point z and a finite sequence x = x\Xi ■ ■ -x n £ { — 1, l} n let z x = 
z + Si<n x i be the position of the particle after x. Then, the events 1, 2, and 3 above are 
finitely satisfiable and can be denoted by the following sets of finite sequences, respectively: 

1. the set Top RW [B,T,z] of minimal sequences x £ { — 1,1}* such that z x = T and for no 
prefix x' of a;, z x i = B; 

2. the set ~Bot R w[B,T, z] of minimal sequences x £ { — 1, 1}* such that z x = B and for no 
prefix x' of x, z T j = T; 

3. the set Either rw[B , T, z] = Top RW [B, T, z] U 3otnw[B, T, z\. 
The following results are known from random walk theory [8]. 
Theorem 3.1 Let p = q = 1/2. Then 

1. P[Top RW [B, T, z}} = (T- z)/(T - B); 

2. P[Bot RW [B, T, z}} = (z- B)I(T - B); 

3. P[Ehher RW [B,T,z]] = 1. ■ 

For a finitely satisfiable event that has probability 1 it is possible to study the average 
number of moves that are needed to satisfy as follows: 

Erw[&] = ^2 length(x)P RW [C x ]. 
xe& 

From random walk theory [8] we know the following result. 

Theorem 3.2 Let p = q = 1/2. Then E RW [Either RW [B, T, z]] = -z 2 + (B + T)z - BT . ■ 
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3.2 A Coin Lemma for Random Walks 

We use a terminology that resembles coin flipping; thus, the number —1 is replaced by t (tail), 
the number 1 is replaced by h (head), p is replaced by ph, and q is replaced by p t . Let M 
be a probabilistic automaton and let Acts = {flipi, ■ ■ ■ ,flip n } be a subset of Actions(M). Let 
S = {( Uf, U{), ( U£, U%), ...,(U%, U*)} be a set of pairs where for each i, 1 < i < n, U t h , V\ 
are disjoint subsets of States(M). Suppose that for every transition (s^flip^V) with an action 
flip i the following hold: 

fi C U? U Ul (7) 

P[U l h ]=p h ^dP[U!}= Pt . (8) 

The actions from Acts represent coin flips, and the sets of states U- 1 and Uf represent the two 
possible outcomes of a coin flip labeled with flip;. Since the sets Acts and S are usually clear 
from the context, we omit them from our notation. We write Acts and S explicitly only the 
first time each new notation is introduced. 

3.2.1 The Coin Lemma 

Let be a finitely satisfiable event of RW , and let if be a probabilistic execution fragment 
of M. Given an execution a of H , let XActs,s( a ) be the ordered sequence of results of the coin 
flips that occur in a, e.g., if the i occurrence of an action from Acts in a is an occurrence of 
flipj that leads to a state from UK then the i th element of x(a) is h, and if the i th occurrence 
of an action from Acts in a is an occurrence of flip ■ that leads to a state from Uj, then the 
i th element of x(a) is t. Observe that x(a) is finite if in a there are finitely many occurrences 
of actions from Acts. 

Let WActs,s(H, 0) be the set of executions a of 0# such that either x(a) has a prefix in 0, 
or x(a) is a prefix of some element of 0. Informally, W(H, 0) contains all those executions of 
CIh where either the coin flips describe a random walk contained in the event denoted by 0, 
or there is a way to fix the values of the unflipped coins so that a random walk of the event 
denoted by is obtained. In other words, if we view the scheduler as a malicious adversary 
that tries to resolve the nondeterminism so that the probability of W(H, 0) is minimized, the 
scheduler does not gain anything by not scheduling coin flipping operations. 

Lemma 3.3 W(H,Q) is measurable in Vh- 

Proof. The set W(H, 0) is the union of two sets: the set of executions a of 0# such that 
x(a) has a prefix in 0, and the set of executions a of 0# such that x(a) is a prefix of some 
element of 0. The first set is a union of cones of the form C a such that x(a) £ 0; the second 
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set is the complement of a union of cones, that is, C a such that x(a) is not a prefix of any 
element of 0. ■ 

We now prove that, no matter how the nondeterminism is resolved, the probability Pjj 
of the event W(H, 0) is lower-bounded by the probability Prw of the event 0. That is, the 
probability of the mapping of the event onto H is at least as large as the probability of 0. 
We first prove our result for a special class of events in Lemma 3.4. Then, we prove the full 
result in Theorem 3.5. 

Lemma 3.4 Suppose that for each transition (s^flip^V) of M , P[U;] = Ph and P[Uf] = pt- 
If there is a finite upper bound k on the length of the elements of 0, then Ph[W(H, 0)] > 

Prw[Q]- 

Proof. For notational convenience, for each state q of H let Vg denote the probability space 
associated with the unique transition that leaves from q in H . 



We prove that P H [W(H,Q)] < 1 - P RW [®]- 

For each state q of if, each i £ {l,...,ra}, and each j £ {h,t}, denote by Cl(q, U- ) the set 
{(flipi,q') £ &q | Istate(q') £ U-} of pairs where flip i occurs and leads to a state of [/"/, and 
for each action a let a denote also the set of pairs whose first element is a, that is, the event 
that action a occurs. For each i £ {1, . . . ,n}, let © 8 be the set of states q of H such that no 
action flip a, 1 < j ' < n, occurs in q, and such that P?\flipi\ > 0. 

The proof is by induction on length(Q), the maximum length of the elements of 0. If 
length(Q) = 0, then either = or = {e}, where e denotes the empty sequence. In 
the first case W(H,Q) = 0, a nd thus P H [W(H,®)] = 1 - Prw[®] = 1; in the second case 
W(H,Q) = tt H , and thus P H [W(H,Q)] = 1 - Prw[®] = 0. For the inductive step, suppose 
that length(Q) = k + 1. Then, 

P H [W(H,Q)] = Y, E P ^ 

ie{l,-,n} qe@i 






Y, P?[(fliPi,q')]PH> q >[W( n ><l'>®>i)]\- ( 9 ) 



where 0>j is the event after performing j, that is, the set of the tails of the sequences of 
whose head is j. Informally, to violate W(Q>j,H>q') with a non-empty 0, it is necessary 
to flip at least once and then violate the rest of 0. Observe that length(Q\>j) < k. Thus, by 
induction, for each j £ {h,t} and each state q' of H , 



iW[W(#>g', ©>j)] < i - Prw[Q>j]. (io) 
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Using (10) in (9), and factoring 1 — PrwI^J] ou t of the innermost summation, we obtain 

Ph[W(H, ©)] < E E P ^C g ] ( E ^["(9. ^)](1 " Prw[®>J])) • (11) 

ie{i,...,n}5(e0i \j'e{/i,t} / 

Let i G {l,...,n}, and j G {/&,£}, and consider a state g of H. From the definition of 
the transition relation of a probabilistic execution fragment, there is a collection of transi- 
tions (Istate(q)^flip^Vk) and a collection of probabilities p tk such that ^2 k Pt k = P?\fliPi\ 
and P g ff [fi(g, [/"/)] = Y^kPtk P k[U-}. From hypothesis, for each k, Pk[U-] = p r Thus, 
P q H [tt(q, [//)] = P?\fli Pi ] Pj . By substituting in (11), 



P H [W(H, 0)] < E E PH[C q ]P?\fli Pi ] E C 1 " ^Ty[0>j])p, • (12) 

;e{i,...,n}s(e0i \j'e{/i,t} / 

Observe that X^iGH n> SogS Ph[C q\Pq [flipi\ is the probability that some action flip i occurs 
from in H , and hence its value is at most 1. Furthermore, observe that Ysjpih t\PjP RW l® > J'\ = 
Prw[&], that is, since p h +Pt = 1, E je {/ l ,t}Pj(l ~ Prw[®>J]) = 1 - iW[©]- Thus, from (12), 



P H [W(H,Q)]<1-P RW [Q]. (13) 

This completes the proof. ■ 

Theorem 3.5 Suppose that for each transition (s^flip^V) of M, -P[£f- ] = Ph and P[U*] = pt- 
Then, P H [W(H,Q)}> P RW [Q}. 

Proof. For each k > 0, let ©^ be the set of elements of whose length is at most k. Then, 
= Ufc>o©fc, and from the definition of W, W(H,Q) = Ufc>o>V(i7, 0fc). Furthermore, for 
each k > 0, ©^ C 0^+1, and W(H,®k) ^ W(H,®k+i)- From simple arguments of measure 
theory, P RW [@] = lim fc ^ +00 P RW [®k], and P H [W(H,@)] = lim k ^ +00 P H [W(H,Q k )]. From 
Lemma 3.4, for each k > 0, P H [W(H,Q k )] > PRw[®k]- Thus, lim fc ^ +00 P H [W(H, Q k )] > 
lim fc ^ +00 P RW [®k], that is, P H [W(H, 0)] > P[0]. ■ 

3.2.2 Expected Complexity of the Random Walk 

The next theorem shows that the average length of a random walk is preserved by the mapping 
W, that is, for fixed H and 0, the expected number of coin flips that may occur in H without 
reaching is bounded above by the expected number of coin flips necessary to reach in 
RW . First we need a definition. 
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Definition 3.6 Let © be an event in RW , and let M be a probabilistic automaton. For each 
finite execution fragment a of M , define (f>(a) to be the number of actions from Acts that occur 
in a if x(a) does not have any prefix in 0, and to be the number of actions from Acts that 
occur in the minimum prefix a' of a such that x(a') £ 0, otherwise. ■ 

Informally, (f>(a) is the number of moves of the random walk that occur in a before satisfying 
the event denoted by 0. In particular, if is not satisfied yet within a, (f>(a) is the total 
number of moves of the random walk that occur in a. Observe that (f> is a complexity function 
but not a complexity measure. 

Theorem 3.7 Suppose that for each transition (s^flip^V) of H , P[U^] = p and P[Uf] = q. 
Also, suppose that Prw[®] = 1- Let 0' be a full cut of H . Then E^H, 0'] < -E^jyf©]. 

Proof. By definition, E+[H,®'] = £ gG e' ^(q)P H [C q ]. 

From the definition of (f>, if q' < q and x(q') £ 0, then (f>(q') = (f>(q)- Thus, we can build a 
new full cut 0" obtained from 0' by replacing each q £ 0' such that x(q) has a prefix in with 
the minimum prefix q' of q such that x(q') £ and obtain E^H, 0'] = EogO" •X^O-f-fft^'g]- ^ n 
particular, for no element q of 0" does the sequence x(q) have a proper prefix in 0. 

Partition 0" into the set ©'' of states q such that x(q) is a prefix of some element of 0, and 
the set 0" of states q such that x(q) is not a prefix of any element of 0. From the definition 
of 0", for no element q of 0" x(q) has a prefix in 0. Thus, W(H, 0) fl (U ge e"Cg) = 0- 
Since from Theorem 3.1 Ph\YV(H, 0)] = 1, we derive that -Pff[©"] = 0, which means that 
0£ is a full cut of H. Furthermore, since 0£ C 0", E^H,®'] < E gee » <^(g)Pff[C g ], that is, 

For each k > 0, let 0<^ be the set of elements of whose length is less than k, and let 
0>fc be the set of elements of whose length is at least k. Similarly, let 0'' fc be the set of 
elements q of ©'' such that length(x(q)) < k, and let 0" fc be the set of elements q of ©'' such 
that length(x(q)) > k. 

Fix k > 0, and let a £ W(H, 0<fc) l~l (U ge e»C g ). Since a £ W(H, ©<fc), from the defi- 
nition of (f> for each finite prefix a' of a, (f>(ot') < k. From the definition of 0'', a £ C q for 
some q £ 0" with length(x(q)) < k. Thus, W(H,® < k) fl (U gG e"Cg) C U ge0 » C q , which 
implies P H [W(H,e <k )n(U qe@ »C q )} < P H [Q%}- Since P H [®£\ '= 1, P H [W(H,Q <k )] = 
P H [W(H,Q <k ) n (U qe@ ,,C q )]. This implies that P H [W(H,Q <k )] < P H [®%]. 

From Theorem 3.5, Pff[>V(-ff, ©<&)] > PRw[®<k], which, combined with the previous 
result, gives P H [@%] > Pitw[®<k]- From this we derive that E^H,®'^ = E 8 >o P ff[ >J < 
E 8 >o PRw[®>k\ = -E-_Riy[0] 5 where the first and third steps follow from Proposition 2.1. Since, 
we have shown already that E^H, 0'] < E^H, ©''], we conclude that E^H, 0'] < i?Rty[0]. ■ 
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3.3 Instantiation of the Coin Lemma 

In this section we instantiate the results of Section 3.2 with the events presented in Section 3.1. 
We also introduce a notation that is more suitable for the specific concepts that are described. 

Given a finite execution fragment a of M, let Heads Acts, s( a ) denote the number of actions 
of the form flip i in a whose post state is in the corresponding set [/,- , and let Tails Acts, si, 01 ) 
denote the number of actions of the form flip i in a whose post state is in the corresponding 
set U-. Let Diff Ac ts,si a ) denote Heads A cts,si°) ~ Tails Ac ts ,si°) ■ 

Definition 3.8 For each probabilistic execution fragment H of M , letTop[Acts,S,B,T,z](H) 
be the set of executions a of S7# such that either 

• 3 a ,< a ((z + Diff (of) = T) A V a »< a /(5 < z + Diffia"))), or 

• V„'<„(i? < z + Diffia 1 ) < T) and actions from Acts occur finitely many times in a. 

The event Top[Acts,S,B,T,z](H) captures the situations where either z + Diffia') reaches 
the top barrier T before the bottom barrier B, or the total number of "flips" is finite and 
z + Diffia') reaches neither barrier. 

Definition 3.9 For each probabilistic execution fragment H of M , letHot[Acts,S,B,T,z](H) 
be the set of executions a of Qh such that either 

• 3 a ,< a ((z + Diffia') = B)h V a »< a /(z + Diff {a") < T)), or 

• ^a'<aiB < z + Diffia') < T ) and actions from Acts occur finitely many times in a. 

The event ~Bot[Acts,S,B,T,z](H) captures the situations where either z + Diffia') reaches 
the bottom barrier B before the top barrier T, or the total number of "flips" is finite and 
z + Diffia') reaches neither barrier. 

Definition 3.10 For each probabilistic execution fragment H of M , let 
Either[,4cte, S, B, T, z](H) = Top[Acts, S, B, T, z](H) U Bot[Acts, S, B, T, z](H). 

The event Eitherf^cfo, S, B,T, z](H) excludes those executions of M where infinitely many 
"flips" occur and z + Diffia') reaches neither barrier. 

Proposition 3.11 Let H be a probabilistic execution fragment of M . Then 
1. P H [Top[B,T,z}iH)}> (z - B)/iT - B). 
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2. P H [Bot[B,T, z](H)] >(T- z)/(T - B). 

3. P H [Either[B,T,z](H)]=l. 

Proof. 

1. From the definitions, the events Top[B,T,z](H) and W(H,Top RW [B,T,z]) are the 
same. From Theorems 3.1 and 3.5, P H [Top[B,T,z](H)] > (z - B)/(T - B). 

2. From the definitions, the events Bot[_B,T, z\(H) and W(H, ~Bot[>w[B,T, z\) are the 
same. From Theorems 3.1 and 3.5, P H [Bot[B, T, z](H)} > (T - z)/(T - B). 

3. From the definitions, the events Either[_B,T, z\(H) and W(H, Either R w[B,T, z\) are 
the same. From Theorems 3.1 and 3.5, Pfj [Either [B,T, z](H)] = 1. ■ 

We conclude with an instantiation of the result about expected complexities. Let 4>Acts be 
the complexity measure such that (j)Acts( a ) is the number of actions from Acts that occur in 
a. Define (/)Acts,B,T,z( a ) to be the truncation of 4>Acts a t the point where one of the absorbing 
barriers is reached. That is, if there is no prefix a' of a such that z + Diff(a') £ {B,T}, then 
<f>Acts,B,T,z( a ) = 4>Acts(oi.); otherwise, 4> Acts ,B ,T ,z(ot) = 4>Acts(ot'), where a' is the minimum prefix 
of a such that z + Diff(a') £ {B,T}. Observe that <j) Acts ,B ,T ,z is n °t a complexity measure, 
but rather a complexity function: 

Example 3.1 If T = —B = 10, z = 0, a.\ contains 5 flip actions, all giving tail, and a.^ 
contains 15 flip actions, all giving head, then 4> Acts ,B ,T ,zi a i) = 5, 4> Acts ,B ,T ,zi a 2) = 10, while 
4> Acts ,B ,T >(«i ~ 0L2) = 20, which is greater than 10 + 5. ■ 

Proposition 3.12 Let H be a probabilistic execution fragment of M , and let 0' be a full cut 
of H. Let z be chosen so that B <z <T. Then, E^ AcUtBtT>z [H, 0'] < -z 2 + (B + T)z - BT . 

Proof. For each state q of H observe that 4> Acts ,B ,T ,zi a ) = 4>( x ( a ))i where (f> is the function 
defined in Definition 3.6 using the set of minimal sequences of { — 1,1}* such that either 
B or T is reached starting from z. From Theorem 3.7, E c f >Acts B T z [H , 0'] < i?Rjy[Q]. From 
Theorem 3.2, E RW [Q] < -z 2 + (B + T)z - BT, and therefore"!^ B T z [H , &} < -z 2 + (B + 
T)z- BT. C '' ' ' Z ■ 
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Part II: The Case Study 



4 The Algorithm of Aspnes and Herlihy 

4.1 The Consensus Problem 

The consensus problem consists of making n asynchronous processes decide on the same value 
(either or 1) in the presence of stopping faults, given that each process starts with its own 
initial value. The initial value is provided by the environment during initialization. We say 
that an algorithm solves the consensus problem if it satisfies the following properties. 

Validity: If a process decides on a value within an execution of the algorithm, then this 
value is the initial value of some process. 

Agreement: Any two processes that decide within an execution of the algorithm decide 
on the same value. 

Wait-free termination: All initialized and non-failed processes eventually decide. 

It is known from [9] that there is no deterministic algorithm for asynchronous processes that 
solves consensus and guarantees termination even in the presence of at most one single faulty 
process. However, the problem becomes solvable using randomization if we relax the termina- 
tion condition and we replace it with the following condition. 

Probabilistic wait-free termination: With probability 1, all initialized and non-failed 
processes eventually decide. 

The algorithm that we analyze in this paper is due to Aspnes and Herlihy [5] and relies on 
the theory of random walks. It terminates within expected polynomial time. We have chosen 
this algorithm because it is frequently cited in the literature and because it is among the most 
complicated randomized algorithms so far proposed. The complex structure of the algorithm 
allows us to show how modular verification techniques can be applied within a randomized 
framework. 

4.2 Description of the Algorithm 

The algorithm of Aspnes and Herlihy proceeds in rounds. Every process maintains a variable 
with two fields, value and round, that contain the process' current preferred value (0, 1 or _l_) 
and current round (a non-negative integer), respectively. We say that a process is at round 
r if its round field is equal to r. Note that, due to asynchrony, different processes could be 
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init(v). 




Figure 2: The interaction diagram of the algorithm of Aspnes and Herlihy. 

at different rounds at some point of an execution. The variables (value, round) are multiple- 
reader single- writer. Each process starts with its round field initialized to and its value field 
initialized to _L. 

After receiving the initial value to agree on, each process i executes the following loop. It 
first reads the (value, round) variables of all other processes in its local memory. We say that 
process i is a leader if according to its readings its own round is greater than or equal to the 
rounds of all other processes. We also say that a process i observed that another process j is 
a leader if according to i's readings the round of j is greater than or equal to the rounds of all 
other processes. If process i at round r discovers that it is a leader, and that according to its 
readings all processes that are at rounds r and r — 1 have the same value as i, then i breaks out 
of the loop and decides on its value. Otherwise, if all processes that i observed to be leaders 
have the same value v , then i sets its value to v, increments its round and proceeds to the next 
iteration of the loop. In the remaining case (leaders that i observed do not agree), i sets its 
value to _L and scans the other processes again. If once again the leaders observed by i do not 
agree, then i determines its new preferred value for the next round by invoking a coin flipping 
protocol. There is a separate coin flipping protocol for each round. Figure 2 gives a high level 
view of the algorithm. The left box is the main algorithm which is subdivided into processes; 
the right boxes are the coin flipping protocols which interact with the main algorithm through 
some invocation and response messages. 

We represent the main part of the algorithm as an automaton AP (Agreement Protocol), 
and the coin flipping protocols as probabilistic automata CF r (Coin Flipper), one for each 
round r. With this decomposition we can prove several important properties of the algorithm 
as properties of AP using ordinary techniques for non-probabilistic systems. Indeed, in this 
section we deal with AP only, and we leave the coin flippers unspecified. Table 1 describes the 
state variables of AP. The shared state of process i consists of a single- writer multiple-reader 
shared variable with two fields, value(i) and round(i), that contain process i's current preferred 
value and round. The local state of a process i consists of a program counter pc, two arrays, 
values and rounds that store the (value, round) variables of other processes after i reads them, 
a variable obs that records the processes already observed by i, a variable start that records 
the initial preferred value of i, and two boolean flags, decided and stopped, that reflect whether 
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Name 



Values 



Single-writer multiple-reader shared variables 

(value(i),round(i)) {0,l,_l_}xm£ 



Initially 



Local state 








pc 


{nil, init, 


readl, read2, checkl, check2,flip, wait, decide} 


init 


values 


array [1 . . 


.n] of {0,1,1} 


array of _L 


rounds 


array [1 . . 


.n] of int 


array of 


obs 


set of {1, 


...,n} 





start 


{o,i,±} 




_L 


decided 


Bool 




false 


stopped 


Bool 




false 



:-l,o) 



Table 1: The state variables of a process i in AP. 



i has decided or failed. The variable stopped is not relevant for the actual code for process i; it 
is used only in the analysis of the algorithm to identify those points where process i has failed. 

Table 2 describes the actions and the transition relation of AP. The transitions associated 
with each action a are described by giving the conditions that a state s should satisfy to 
enable a (Pre:), and the transformations that are performed on s to obtain the post-state of 
the transition (Eff:). If the precondition is omitted, then it is taken to be true. Table 2 is based 
on the following predicates and functions: obs-max-round is the maximum round observed by 
process i; obs-leader(j) is true if i observes that j is a leader; obs-agree(r,v) is true if the 
observations of all the processes whose round is at least r agree on v; obs-leader-agree(v) is 
true if, according to the observations of i, the leaders agree on v; obs-leader-value is the value 
of one of the leaders observed by i. Formally, 



obs-max-round 

obs-leader(j) 

obs-agree(r, v) 

obs-leader-agree(v) 

obs-leader-value 



m&x jeobs (rounds[j]) 
j G obs A rounds[j] = obs-max-round 
yj^obs rounds[j] > r =>■ values[j] = v 
obs-agree( obs-max-round , v) 

v if obs-leader-agree(v) 

undefined if jQ v obs-leader-agree(v) 



It is simple to check that obs-leader-value is a well defined function since it is never the case 
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Actions and transitions of process i. 



input init(v)i 
Eff: start <— v 

output start (v)i 

Pre: pc = init A start = v ^ _L 
Eff: value(i) <— « 

round(i) <— 1 

ofcs <- 

pc <— rearfl 

output readl(k), 
Pre: pc = rearfl 

A; ^ obs 
EfT: «alMes[A:] <— value(k) 

rounds[k] <— round(k) 

obs <— ofcs U {A} 

if ofcs = {1, . . . , ra} then pc <— checkl 



output read2(k)i 
Pre: pc = read2 

k (ji obs 
Eff: «alMes[A] <— value(k) 

rounds[k] <— round(k) 

obs <— ofcs U {A} 

if ofcs = {1, . . . , ra} then pc <— check2 

output check2 t 

Pre: pc = check2 

Eff: if 3„ 6 {o,i}°& 5 -' eat ' e ''- a fl l '' ee ('') then 
value(i) <— obs-leader-value 
round(i) <— roanrfs[i] + f 
ofcs <- 
pc <— rearff 
else 

pc <- /?«p 



output cftecA;f 8 

Pre: pc = checkl 
Eff: if obs-leader(i) A 

3„ 6 {o,i} ofes-agree(roanrfs[i] — 1,«) then 
pc <— decide 
elseif 3„g{ ,i} obs-leader-agree(v) then 
value(i) <— obs-leader-value 
round(i) <— roanrfs[i] + f 
ofcs <- 
pc <— rearff 
else 

value(i) <— _L 
ofcs <- 
pc <— read2 

output decide(v), 

Pre: pc = decide A i;aZ«es[i] = « 
Eff: decided <— frae 

pc <— ml 



output start- flip(r), 
Pre: pc = /?«p 

round(i) = r 
Eff: pc <— waif 

input return- flip(y, r); 

Eff: if pc = waif and round(i) = r then 
value(i) <— « 
round(i) <— roanrfs[i] + f 
ofcs <- 
pc <— rearff 

input sfop 8 

Eff: stopped <— frae 

pc <— ml 



Tasks: The locally controlled actions of process i form a single task. 



Table 2: The actions and transition relation of AP. 
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that obs-leader-agree(O) and obs-leader-agree(l) are satisfied simultaneously. 

We associate all the locally controlled actions of a process i with a single task. Thus, an 
execution fragment a of AP is fair if all processes that are continuously enabled are scheduled 
eventually in a. 



5 Proving Validity 

The proof of validity is very simple and is based on an invariant property (cf. Invariant 5.2). 
In this section and in the rest of this paper we use the word "invariant" both for automata and 
for execution fragments. An invariant of an automaton is a property that is valid in all the 
reachable states of the automaton; an invariant of an execution fragment is a property that is 
valid in all the states of the execution fragment. For notational convenience, given v G {0, 1}, 
we denote by v the value (y + 1) mod 2. We also define a new predicate: 

agree(r,v) = \/j(round(j) > r =>■ value(j) = v). 



That is, predicate agree(r,v) is true if all the processes at round at least r agree on value v. 

Invariant 5.1 Let a be an execution of AP where no action of the form init(v)i occurs. Then 
each state of a satisfies agree(l,v) and obs-agree(l,v). 

Proof. Straightforward inductive argument. Informally, each process observes that the leaders 
agree on v, and thus no process ever flips a coin or chooses v as its preferred value for the next 
round. ■ 

Invariant 5.2 For each reachable state of AP, and each pair of processes i,j, 

1. s.round(i) = =>■ s.value(i) = _L, and 

2. s.rounds[i]j = =>■ s.values[i]j = _L. 

Proof. Straightforward inductive argument. ■ 

Theorem 5.3 (Validity property) Let a be an execution of AP where no action of the form 
init(v)i occurs. Then in a no action of the form decide(v)i occurs. 

Proof. Suppose by contradiction that there is an occurrence of action decide(v)i in a, and 
let s be the state immediately before action decide(v)i. From the transition relation of AP, 
s.values[i]i = v, and by Invariant 5.2, s.rounds[i]i > 0. This contradicts Invariant 5.1. ■ 
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6 Proving Agreement 

In this section we prove the agreement property of AP, that is, that any two processes that 
decide within an execution decide the same value (cf. Theorem 6.2). We give the high level 
proof in Section 6.1 and we prove the main invariant in Section 6.2. 

6.1 High Level Proof 

The key idea of the agreement proof is that if a process i that is at round r is "about to decide" 
on some value v, then every process that is at round r or higher has its value equal to v. We 
formalize this statement in Invariant 6.1. 

Invariant 6.1 Let i be a process. Given a reachable state of AP, let v = value(i) and r = 
round(i). Then 

(obs-agree(r — 1, v)i A obs-leader(i)i A obsi = {1, . . . , n}) =>■ agree(r, v). 

Invariant 6.1 states that if process i has observed all the other processes and has determined 
that it is a leader and that all the processes at round at least r — 1 agree on a value v, then all 
the processes at round at least r agree on a value v. Before giving the proof of Invariant 6.1, we 
use Invariant 6.1 to prove the agreement property. Essentially the idea is that the premise of 
Invariant 6.1 is stable, that is, it is always satisfied in the future once it is satisfied: if process 
i satisfies the premise of Invariant 6.1, then process i decides on value v, and thus the local 
state of process i does not change any more. 

Theorem 6.2 (Agreement property) For every trace 7 of AP the following is true: if 
decide(v)i and decide(v')j both occur in 7 then v = v' . 

Proof. Let 7 be a trace of AP such that decide(v)i and decide(v')j both occur in 7. Let a 
be an execution of AP that has trace 7. Assume without loss of generality that decide(v)i 
occurs first in 7. Let s 8 - and Sj be the states before actions decide(v)i and decide(v')j occur, 
respectively. From the transition relation of AP, process i satisfies the premise of Invari- 
ant 6.1 in state s 8 -, and process j satisfies the premise of Invariant 6.1 in state Sj. Thus, 
Si.agree(round(i),v) and Sj.agree(round(j),v'). Furthermore, it is a simple inductive argu- 
ment to show that the premise of Invariant 6.1 is stable, that is, once it is satisfied it continues 
to be satisfied. Thus, Sj .agree(round(i) , v) . Since in Sj there is at least one process at round 
max(sj.round(i),Sj.round(j)), we derive that v = v'. ■ 
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6.2 Proof of Invariant 6.1 

The problem with Invariant 6.1 is that it is not strong enough to hold inductively. Therefore, we 
provide a stronger invariant (cf. Invariant 6.3) that implies Invariant 6.1 and holds inductively. 
Invariant 6.1 guarantees that some properties hold for those states where a process i has 
observed all other processes; for the inductive argument we need to guarantee some properties 
also for those states where process i has not observed all other processes yet. Furthermore, we 
need to ensure more properties than just the fact that all processes at round at least r have 
value v. In particular, we need to make sure that all processes at round r — 1 cannot reach 
round r with a value different from v. 

Given v £ {0, 1}, denote by v the value (v + 1) mod 2. Define new predicates and functions 
fill-max-round^ fill-leader(j)i, fill-agree(r,v)i, and fill-leader- agree{v){ to be the same as the 
corresponding predicates and functions obs-max-roundi, obs-leader(j)i, obs-agree(r,v)i, and 
obs-leader-agree(v)i, with the following exception: the rounds and preferred values used in 
the definitions are the values observed by i for the processes that i has already observed, 
and the actual values of the shared variables for the processes that i has not yet observed. 
In other words, an incomplete observation is "completed instantly" with the actual values of 
the unobserved processes. Formally, for each process i, let fill-rounds i and fill-values i be two 
vectors defined as follows: 



fill-rounds[j]i 
fill-values[j]i 



rounds[j]i if j £ obsi, 

round(j) if j ^ obsi, 

values[j]i if j £ obsi, 

value(j) if j ^ obsi. 



The vectors fill-rounds and fill-values are called the filled vectors of rounds and values. Then, 

fill-max-round i = m&Xj(fill-rounds[j]i), 

fill-leader(j)i = fill-rounds[j]i = fill-max-round^ 

fill-agree(r,v)i = fill-rounds ^j] > r =>■ fill-values[j]i = v, 

fill-leader- agree\v)i = fill- agree( fill-max-round j,v)i. 

The actual invariant that we prove is the following. 

Invariant 6.3 Let i be a process. Given a reachable state of AP, let v = value(i), r = 
round(i). If the following holds 

1. obs-agree(r — l,v)i, 
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2. fill-agree(r, v)i, 

3. fill-max-round i = r, 

then 

a. \/jobs-agree(r,v)j, 

b. agree(r,v), 

c. V ' j£ b Sl {{round(j) = r — 1 A value(j) ^ v) =>• fill-max-round • > r). 

Informally, Invariant 6.3 states that if nothing is preventing some process i from deciding 
on a value v at round r, then none of the processes observed by i is in a position to cause 
other processes not to agree on v at round r. Thus, the premises state that according to the 
observations of process i, process i is a leader at round r and observes that the other processes 
that are at round at least r — 1 agree on v; furthermore all the non-observed processes do 
not compromise the leadership of process i and agree on v if they are at round at least r. 
This means that it is possible for i to decide on v after completing its scan: the non-observed 
processes that are at round r — 1 and do not agree on v may reach round r with value v before 
being observed by i. Condition a states that all processes observe agreement on v from round 
r, Condition b states that all processes at round at least r do agree on v, and Condition c 
states that none of the processes that have been observed already by process i is in a condition 
to reach round r with a value different from v. 

At this point we can understand better the use of _L in AP. When a process i is about to 
decide on v at round r, it could be the case that another process j at round r — 1 is about to 
flip a coin for the value to be used in round r. Process j could have observed some old values 
of the other processes. However, in such a case the value of process j would be _L. Then, 
Condition c ensure that process j observes some process at round at least r, and thus, from 
Condition a, process j observes that the leaders agree on v. Hence, process j cannot flip. In 
other words, a process j might not discover that another process i is about to decide on v at 
round r during its first scan; however, process j would certainly discover the intent of process 
i during its second scan. 

Observe that Invariant 6.3 implies Invariant 6.1 directly; thus, proving Invariant 6.3 is 
sufficient to prove Invariant 6.1. To prove Invariant 6.3 we need several auxiliary invariants that 
illustrate some of the key ideas behind the algorithm. Several invariants have straightforward 
inductive proofs, which we omit. The first invariant, Invariant 6.4, states that a process that 
has not started yet is at round 0. 

Invariant 6.4 Let i be a process. Then, for each reachable state of AP, 

(pc i = init) =^ (round(i) = 0). ■ 
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Invariant 6.5 states that a process has observed all other processes whenever either it has 
decided, or it is checking the local variables, or it is interacting with the coin flipping protocol. 

Invariant 6.5 Let i be a process. Then, for each reachable state of AP, 

pc i G {checkl, check2, decide, flip, wait} =>■ obsi = {1, . . . , n}. ■ 

Invariant 6.6 states that the preferred value of a process is _L during the second scan of the 
shared variables and during the interaction with the coin flipping protocol. 

Invariant 6.6 Let i be a process. Then, for each reachable state of AP, 

pc i G {read2, check2,flip, wait} =>■ value(i) = _L. ■ 

Invariant 6.7 states that if a process is interacting with a coin flipping protocol, then that 
process observes that the leaders do not agree. 

Invariant 6.7 Let i be a process. Then, for each reachable state of AP, 

pc i G {flip, wait} =^ /Q v obs-leader-agree(v)i. ■ 

Invariant 6.8 states that the round numbers observed by each process are never larger than 
the actual round numbers of the processes. 

Invariant 6.8 Let i,j be two processes. Then, for each reachable state of AP, 

rounds[j]i < round(j). ■ 

Invariant 6.9 is a consequence of the fact that a process cannot prefer two different values 
during the same round. That is, if process j observes the current round of process i and 
process i does not prefer _L, then then the value of process i observed by process j coincides 
with the actual preferred value of process i. In other words, if process j observes that at some 
point process i is at round r and prefers value v, then the actual preferred value of process i 
while its round is r is either v or _L. 

Invariant 6.9 Let i,j be two processes. Then, for each reachable state of AP, 

(rounds[i]j = round(i) A value(i) G {0, 1}) =/- (values[i]j = value(i)). 
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Proof. For notational convenience, let I(s) denote the invariant above. We prove I(s) by 
induction on the length of an execution of AP leading to s. If s is a start state, then I(s) is 
satisfied trivially since s.value(i) = _L for all i. For the inductive step it is enough to show 
that for every transition (s,a,s r ) of AP, I(s) implies I(s'). We distinguish the following cases 
based on a. 

1. a = readl(i)j or a = read2(i)j. 

The transition relation of AP ensures that s' .values[i]j = s' .value(i). Thus, I(s') is true. 

2. a = checkli or a = check2i or a = start(v)i, or a = return- flip{v ,r){, v £ {0, 1}, r > 0. 

If s' .pc i = decide, then none of the relevant variables for I(s') has changed, and thus I(s') 
is true; if s' .pc i j^ decide, then either s' .round(i) = s.round(i) + 1 or s' .value(i) = _L (cf. 
Ivariants 6.4 and 6.6). In the first case, since process j does not change state, and since 
by Invariant 6.8 s.round(i) > s.rounds[i]j, we derive that s' .round(i) > s' .rounds[i]j. 
Thus, in both cases one of the premises of I(s') is not satisfied, which means that I(s') 
is true. 

3. None of the previous cases hold. 

I(s) implies I(s') trivially, since all the relevant components stay unchanged. ■ 

Invariant 6.10 states that whenever a process has observed itself, the observed round and value 
coincide with the actual round and value. 

Invariant 6.10 Let i be a process. Then, for each reachable state of AP, 

i G obsi =^ (rounds[i]i = round (i) A values[i]i = value(i)). 

Proof. Fix a process i. For notational convenience let I(s) denote the invariant above. We 
prove I(s) by induction on the length of an execution of AP leading to s. If s is a start state, 
then I(s) is satisfied trivially since s.obsi = 0. For the inductive step it is enough to show 
that for every transition (s,a,s r ) of AP, I(s) implies I(s'). We distinguish the following cases 
based on a. 

1. a = readl(i)i or a = read2(i)i. 

The transition for read(i)i ensures that s' .rounds[i]i = s.round(i) and that s' .values[i]i = 
s.value(i). Since round(i) and value(i) do not change from s to s' , I(s') is true. 

2. a = checkli or a = check2i or a = init(v)i, or a = return- flip(v,r)i, v £ {0, 1}, r > 0. 

If s' .pc i G {decide, flip}, then none of the relevant variables for I(s') has changed from 
s to s' , and I(s') is true. If s' .pc i ^ {decide, flip}, then s' .obs = 0, falsifying i £ s.obsi. 
Therefore, I(s') is satisfied trivially. 
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3. None of the cases above hold. 

L(s) implies I(s') trivially, since all the relevant conditions stay unchanged. ■ 

Invariant 6.11 states that whenever the maximum round is at most r and all processes agree 
on a value v from round r, then all processes observe that there is agreement on v from round 
r. 

Invariant 6.11 Let r be a non-negative integer and v £ {0, 1}. Then, for each reachable state 
ofAP, 

(max-round < r A agree(r,v)) =>■ \/jobs-agree(r,v)j. 

Proof. Suppose that the premises of the invariant above are satisfied, and let i,j be two 
processes such that rounds[i]j = r. By Invariant 6.8 and from max-round < r, round(i) = r. 
Thus, from agree(r,v), value(i) = v. By Invariant 6.9, values[i]j = v. ■ 

The following lemma is more technical and is used to shorten the inductive argument in the 
proof of Invariant 6.3. It states that, under certain conditions, if the premises of Invariant 6.3 
are satisfied in the post-state of a transition, then the premises of Invariant 6.3 are satisfied in 
the pre-state of the transition as well. 

Lemma 6.12 Let (s,a, s') be a transition of AP, where a is either readl(k)j or read2(k)j or 
checklj or check2j or return- flip ( v' , r')i, v' G {0, 1}, r' > 0. Let i be a process such that i j^ j 
if a = checklj or a = check2j or a = return- flip(v',r')j. If, for v £ {0,1} and r > 0, the 
following conditions hold in s' : 

1. obs-agree(r — l,v)i, 

2. fill-agree(r, v)i, 

3. fill-max-round i = r, 

4- value(i) = v and round(i) = r, 

then the same conditions hold in s as well. 

Proof. We distinguish two cases based on a. 

1. a = readl(k)j or a = read2(k)j. 

Observe that for each process /, s.value(l) = s'.value(l) and s.round(l) = s' .round(l). 
This implies Condition 4 in s. It is left to show Conditions 1,2, and 3 for s. If 
i zfz j then s.valuesi = s' .values i and s.roundsi = s' .rounds i. Thus, Conditions 1,2, 
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and 3 are satisfied trivially in s. If i = j, then for every process / such that / ^ k, 
s.values[l]i = s' .values[l]i and s.rounds[l]i = s' .rounds[l]i. Since k g - s.obsi (i is reading 
from k), and since Condition 1 holds in s' , Condition 1 also holds in s. Condition 2 
follows directly from Condition 2 for s' and the fact that s' .values[k]i = s.value(k) 
and s' .rounds[k]i = s.round(k); Condition 3 follows from Condition 3 in s' and from 
s' .rounds[k]i = s. round (k). 

2. a = checklj or a = check2j or a = return- flip(v',r')j. 

Observe that, by Invariants 6.5 and 6.10, s.round(j) = s.rounds[j]j. Conditions 3 and 
4 are trivial, since the state of process i is the same in s and s' (i j^ j), s.round(j) < 
s' .round(j), and s.round(i) = r. Similarly, Condition 1 holds in s. It is left to show 
that Condition 2 holds in s. Since j is the only process that changes state, and since 
Condition 2 is affected only if j (j£ s'.obsi, which is equivalent to j (j£ s.obsi, it is sufficient 
to verify s.round(j) = r =>■ s.value(j) = v under the assumption that j (j£ s.obsi. We 
distinguish two cases. 

(a) s' .pc; G {decide, flip}. 

No other state variable has changed in the transition. Thus, Condition 2 holds in s. 

(b) s' .pc- = read. 

From Condition 3 in s' we have s' .round(j) < r. If s' .value(j) = _L, then Condition 2 
for s' implies s' .round(j) < r, and therefore s.round(j) < r, which implies Condition 
2 for s. If s' .value(j) ^ _L, then the transition relation of AP implies s.round(j) < 
s'.round(j), and therefore, since from Condition 3 s' .round(j) < r, s.round(j) < r. 
This implies Condition 2 for s. ■ 

Proof of Invariant 6.3 

For notational convenience, for each state s and process i let I(s) denote the whole invari- 
ant, Cl(s,i), C2(s,i), and C3(s,i) denote Conditions 1, 2, and 3, respectively, and Ca(s,i), 
Cb(s,i), and Cc(s,i) denote Conditions a, 6, and c, respectively. 

We prove I(s) by induction on the length of an execution of AP leading to s. If s is a start 
state, then I(s) is satisfied trivially since s.value(j) = _L for all j and s.obsi = 0, and thus 
C2(s,i) is not satisfied. For the inductive step it is enough to show that for every transition 
(s,a,s') of AP, I(s) implies I(s'). We distinguish the following cases based on a. 

1. a = start(v')j for some v' and j. 

Consider a processes i such that Cl(s',i) A C2(s',i) A C3(s',i). Let r = s' .round(i), 
v = s' .round(i). We distinguish the following cases. 

(a) i = j. 

In this case r = 1 and v' = v. Since s'.obsi = 0, Cc(s',i) is trivially true, and 
Cb(s',i) follows from C2(s',i). Furthermore, from C3(s',i), s' .max-round = 1, and 
thus the premises of Invariant 6.11 are satisfied, giving Ca(s',i). 
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(b) i 7= j and r = 1. 

From Ci (V, i),j ^ s' .obsi, otherwise process i would have observed _L at round r — 1. 
Thus, from C2(s', i), v' = v. Since, except for process j, all the relevant components 
for Cl(s,i) and C2(s,i) do not change, we derive Cl(s,i)A C2(s,i). If C3(s,i) is 
true as well, then Ca(s, i)ACb(s, i)ACc(s, i) is true, and Ca(s' , i)ACb(s' , i)ACc(s', i) 
follow directly. If C3(s, i) is false, then s.obsi = 0, otherwise Cl(s, i) would be false, 
and thus j is the only process in s' that is at round r. This implies Cb(s' , i) A Cc(s', i) 
directly. By Invariant 6.8, Ca(s,i) is true, and thus, since none of the relevant state 
components change, Ca(s',i) is true as well. 

(c) i j^ j and r = 2. 

Observe that Cl(s,i) A C2(s,i) A C3(s,i) is true, since process j does not affect 
their validity. Thus, Ca(s,i) A Cb(s,i) A Cc(s,i) is true. Then, Ca(s',i) A Cb(s',i) 
since process j does not affect their validity. Since s'.obsj = 0, from C3(s',i) and 
by Invariant 6.8 we derive that process j satisfies the condition for Cc(s',i). Thus, 
Cc(s',i) follows from Cc(s,i). 

(d) i 7^ j and r > 2. 

I(s') follows trivially from I(s) since process j does not affect any of the relevant 
conditions. 

2. a = readl(k)j or a = read2(k)j for some j and k. 

Consider a processes i such that Cl(s',i) A C2(s',i) A C3(s',i). Let r = s' .round(i), 
v = s'.round(i). By Lemma 6.12, s. value (i) = v, s.round(i) = r, and Cl(s, i)A C2(s,i)A 
C3(s,i). Since I(s) is true, we also have Ca(s,i) A Cb(s,i) A Cc(s,i). We need to show 
Ca(s',i)A Cb(s',i)A Cc(s',i). 

To show Ca(s',i) it is enough to show that s' .rounds[k]j > r =>■ s' .values[k]j = v. From 
the transition relation of AP, s' .rounds[k]j = s. round (k) and s' .values[k]j = s.value(k). 
Thus, Cb(s,i) suffices. 

Cb(s' , i) follows trivially from Cb(s, i) since none of the relevant state components change. 

For Cc(s',i), suppose that j £ s'.obsi, s' .round(j) = r — 1, s' .value(j) ^ v. Observe that 
i zfz j since s.round(i) = r and thus s' .round(i) ^ r — 1. The terms s.fill-max-roundj 
and s' .fill-max-roundj differ only in the use of round(k) and rounds[k]j . The transition 
relation of AP ensures the equality of the two terms above. Thus, Cc(s' , i) follows from 

Cc(s, i). 

3. For some j, a = checklj or a = check2j or a = return- flip ( v 1 , r')i, v' £ {0, 1}, r' > 0. 

Consider a processes i such that Cl(s',i) A C2(s',i) A C3(s',i). Let r = s' .round(i), 
v = s' .round(i). Observe that, by Invariants 6.5 and 6.10, s.round(j) = s.rounds[j]j. 
Furthermore, observe that for all processes /, 

s' .rounds i = s. rounds i A s' .values i = s.valuesi A s' .obsi C s.obsi. (14) 
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If s' .pc; G {decide, flip}, then I(s') follows trivially from I(s) since none of the relevant 
state components change. Thus, we consider only the case where s' .pc- ^ decide. In 
particular, s' .obsj = 0. 

If i = j (and s' .pc i ^ {decide, flip}), then from s' .obsi = we get Cc(s',i). Further- 
more, s' .obsi = and C2(s',i) imply s' .agree(r,v), and thus Cb(s',i) is true. From 
s' .obsi = and C3(s',i), we derive s' .max-round < r. This means that the conditions of 
Invariant 6.11 are satisfied, and thus Ca(s',i) is true. 

If i zfz j (and s' .pc i ^ {decide, flip}), then Lemma 6.12 implies that s.value(i) = v and 
s.round(i) = r and Cl(s,i)A C2(s,i) A C3(s,i). Since I(s) is true, we have Ca(s,i) A 
Cb(s,i)ACc(s,i). Equation (14) and Ca(s,i) imply Ca(s',i). Since s' .round(i) = r, from 
s'.obsj = we derive s' .fill-max-roundj > r, and thus Cc(s',i) follows from Cc(s,i). To 
show Cb(s',i) we distinguish the following cases. 

(a) s.round(j) > r. 

By Invariant 6.5, s.obsj = {l,...,n}, and thus, by Invariant 6.10, s.rounds[j]j = 
s.round(j). From Ca(s,i), since s.obsj = {l,...,n}, and since s.round(j) > r, we 
derive s.obs-leader-agree(v)j. By Invariant 6.7, s.pcj ^ wait, and thus, from the 
transition relation of AP, s' .value(j) = v and s' .round(j) > r. Therefore, Cb(s',i) 
follows from Cb(s,i). 

(b) s.round(j) = r — 1 and s.value(j) = _L. 

By Invariant 6.5, s.obsj = {1, . . .,n}. If j £ s'.obsi, then Ca(s,i) A Cc(s,i) implies 
s.obs-leader-agree(v)j. By Invariant 6.7 and from the transition relation of AP, 
s' .value(j) = v and s' .round(j) = r. Therefore Cb(s',i) follows from Cb(s,i). If 
j ^ s'.obsi, then from C2(s' , i), s' .value(j) = v. Thus, Cb(s', i) follows from Cb(s, i). 

(c) s.round(j) = r — 1 and s.value(j) ^ _L. 

By Invariant 6.5, s.obsj = {l,...,n}, and by Invariant 6.6, a = checkl. If j ^ 
s'.obsi, then C2(s',i) implies ^s.obs-leader-agree(v)j, since otherwise s'.value(j) 
would be v; if j G s' .obsi and s.value(j) = v, then Ca(s,i) and Invariant 6.10 imply 
^s.obs-leader-agree(v)j; if j £ s' .obsi and s.value(j) = v, then from Cc(s,i) we 
derive s. fill-max-roundj > r, and thus, from Ca(s,i), s.obs-leader-agree(v)j. 
Thus, in every case we have ->s .obs-leader-agree(v) j . If s.obs-leader-agree(v)j, then 
from the transition relation of AP we have s' .value(j) = v and s' .round(j) = r. 
Therefore, Cb(s',i) follows from Cb(s,i). If ^s.obs-leader-agree(v)j, then from the 
transition relation of AP we have s' .value(j) = _L and s' .round(j) = r — 1. Again, 
Cb(s',i) follows from Cb(s,i). 

(d) s.round(j) < r — 1. 

Since s' .round(j) < r — 1, Cb(s',i) follows trivially from Cb(s,i). 

4. None of the previous cases hold. 

I(s) implies I(s') since all the relevant components of s and s' stay unchanged. ■ 
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Proof of Invariant 6.1 

Follows directly from Invariant 6.3. ■ 

7 Non-Probabilistic Progress Properties 

Our next objective is to show that in the algorithm of Aspnes and Herlihy some decision is 
reached within some expected number of rounds. This property depends on the probabilistic 
properties of the coin flipping protocols. However, there are several progress properties of the 
algorithm that do not depend on any probabilistic assumption. In this section we study such 
properties. The advantage of this approach is that we can use existing techniques for ordinary 
nondeterministic systems and confine the probabilistic arguments to a very limited section of 
the analysis. In this way we can also point out very precisely what is the essential role of 
probability within the protocol we analyze. The results of this section are integrated with 
probabilistic arguments in Section 8. 

For each round r, let CF r be a coin flipping protocol, that is, a probabilistic automaton with 
the interface of a coin flipper of Figure 2. Define AH (Aspnes-Herlihy) to be AP \\ (\\ r >iCF r ). 

For each finite execution fragment a of AH , define 

^MaxRoundi®) = Istate(a) .max-round — fstate(a) .max-round , 

where max-round is a function that gives the maximum round number among all the processes. 
Since the round number of each process is monotonically nondecreasing, it is immediate to 
verify that (^MaxRound is a complexity measure. Define the following sets of states. 

1Z the set of reachable states of AH such that 3ipc i ^ {init, nil}; 
V the set of reachable states of AH such that V 8 (pc 8 - £ {init, nil}). 

We call the states of 1Z active, since they represent situations where some process is participat- 
ing actively in the consensus protocol. We want to show that, under some special conditions on 
the coin flipping protocols, starting from any state of 1Z, a state from V is reached within some 
bounded number of rounds. It turns out that it is easier to split the problem in two parts: first 
we show a simple property that, unless the algorithm terminates, the system reaches a point 
where one process has just moved to a new maximum round (Tq and T\ below, where the 
subscript corresponds to the value preferred by the process at the maximum round); then, we 
show that from such an intermediate point, under some special conditions on the coin flipping 
protocols, the algorithm terminates. Formally, define the following sets of states. 

Tq the set of states of 1Z where there exists a round r and a process / such that round(l) = r, 
value(l) = 0, obsi = 0, and for all processes j ^ /, round(j) < r; 
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T\ the set of states of 1Z where there exists a round r and a process / such that round(l) = r, 
value(l) = 1, obsi = 0, and for all processes j ^ /, round(j) < r. 

We show two properties, the first of which is almost trivial: 

1. (Proposition 7.3) If AH is in a state s of 1Z and all invocations to the coin flippers on 
non-failing ports get a response, then a state from Tq U T\ U V is reached within one 
round. 

2. (Proposition 7.8) If AH is in a state s of .F„, all invocations to the coin flippers on 
non-failing ports get a response, and all invocations to CF s . max _ roun( i get only response 
v, then a state from V is reached within two rounds. 

To state formally the two properties above we need to define the meaning of the sentences "all 
invocations to the coin flippers on non-failing ports get responses", and "all invocations to CF r 
get only response v" , which we identify with the concepts of responsiveness and (v, r)- globality , 
respectively. 

Definition 7.1 A port i is non-failing in an execution fragment a of AH or of CF r if action 
stop; does not occur in a. 

An invocation to CF r from process i is pending in a reachable state s of CF r if there is 
an execution a of CF r , ending in state s, such that in a port i is non-failing, there is at least 
one occurrence of action start-flip(r)i, and the last occurrence of start-flip(r)i is not followed 
by any action of the form return- flip( v , r) 8 -. 

An execution fragment a of CF r is responsive if, for each decomposition a\ ~ a.^ of a the 
following holds: if in jstate(a.2) there is a pending request of process i to CF r , then in a.^ 
either action stop i occurs, or action return- flip(v,r)i occurs for some v G {0, 1}. An execution 
fragment a of AH is responsive if, for each r > 0, a\CF r is responsive. 

An execution fragment a of CF r is v-globaliS for each action of the form return- flip(v' ',r)i 
that occurs in a, v' = v. An execution fragment a of ^4i7 is (v , r)-globaliS a\CF r is f -global. 



Remark 7.1 The definition of pending request may appear rather cumbersome, since we 
could state it just in terms of the components of a state of CF r . The problem is that CF r is 
not specified yet, and thus we cannot refer to its state components: we can refer only to the 
interactions that CF r has with its external environment. ■ 

Statement 1 is almost trivial and states that within one round some process moves first 
to a new round or all processes terminate. Statement 2 is the key result of this section. It 
states that if the maximum round is r and the process at round r has value v, then the system 
quiesces within two rounds if CF r behaves like a global coin flipper. We start with Statement 1, 
which requires a trivial preliminary lemma. 
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Lemma 7.2 Let a be a fair execution fragment of AH that starts from a state of 1Z, and 
assume that a is responsive. Then in a either a state from V is reached, or max-round grows 
unboundedly. 

Proof. Follows directly from the fact that all processes perform finitely many operations in 
every round. ■ 

Proposition 7.3 Let sq be a state of 1Z, and let a be a fair execution fragment of AH that 
starts from state so- Suppose that a is responsive. Then in a a state of Tq U T\ U V is 
reached within one round. That is, a = a\ ~ a.^ such that lstate(a\) £ Tq U T\ U V and 

4>MaxRo%nd{a\) < 1. 

Proof. If V is not reached, then, by Lemma 7.2, max-round grows unboundedly. Thus, some 
process will be the first process to reach round sq. max-round + 1. At that point a state from 
J-q U T\ is reached. ■ 

This proves Statement 1. For Statement 2 we need to prove some preliminary invariants. The 
first invariant is an immediate consequence of the fact that a process has a correct view of 
itself whenever it has observed itself. 

Invariant 7.4 Let i be a process. Then, for each reachable state of AH , 

fill-max-round i > round(i). 

Proof. Straightforward inductive argument. ■ 

The second invariant states that the round of each process is monotonically increasing and 
that a process cannot prefer both values and 1 in the same round. 

Invariant 7.5 Let a be an execution fragment of AH , and let sq = fstate(a) be reachable in 
AH. Let I be a process, r = SQ.round(l), and v = SQ.value(l). If v ^ _L, then for each state of 
a, 

round(l) > r A (round(l) = r =^> value(l) ^ v). 

Proof. Straightforward inductive argument. ■ 

The third invariant is more technical. The important part is the second condition, which states 
that all processes observe agreement on value v from round r + 1 provided that the coin flipper 
for round r always returns v, that at the beginning there is exactly one process at round r, 
and that the process at round r prefers value v. The other two conditions are necessary to 
carry out the inductive proof. 
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Invariant 7.6 Let a be an execution fragment of AH whose first state so is a state of T v . 
Let r = SQ.max-round, and let I be the (unique) process that satisfies SQ.round(l) = r. Suppose 
that a is (v,r)-global. Then, for each state of a, 

1. \/j(round(j) = r =>■ -i fill-leader- agree(v)j) 

2. \/jfill-agree(r + l,v)j. 

3. agree(r + 1, v). 

Proof. For notational convenience let L(s) denote the whole invariant. State so satisfies 
Conditions 2 and 3 trivially since SQ.max-round < r + 1. For Condition 1, since process / is 
the only process at round r, and since SQ.value(l) = v and so.obsi = 0, it cannot be the case 
that SQ.fill-leader-agree(v)i. For the inductive step we consider a subsequence sas' of a and we 
distinguish cases based on a. 

1. a = init(v')i for some i. 

If r > 1, then none of the conditions of L(s) are affected. If r = 1, then Conditions 2 
and 3 are not affected as well. Consider a generic process j such that s' .round(j) = 
r. If j = i, then since s' .obsj = 0, Invariant 7.5 and Condition 3 for s' ensure that 
->fiU-leader-agree(v)j. If j j^ i, then, since Condition I holds in s, there is some process 
k j^ i that is a leader with value different from v in the filled vector of process j. We 
know that k ^ i because, by Invariant 7.4, s .fill-max-round • > r, and thus process i 
could not affect Condition I in s. The A; th entry of the filled vector of j is not affected 
during the transition from s to s' , and thus Condition I is preserved. 

2. a = readl(k)i or a = read2(k)i for some i and k. 

In this case Condition 3 is not affected. Thus, we need to deal only with Conditions I 
and 2, which are affected only for process i. In particular, Conditions I and 2 differ 
in s and s' for the use of (round(k), value(k)) and (rounds[k]i, values[k]i), respectively. 
The transition relation of AP ensures the equality of the terms above, and thus the 
preservation of Conditions I and 2. 

3. a = checkli or a = check2i or a = return- flip (v' , r') 8 - for some i. 

We consider only the case where r' = round(i), since otherwise nothing changes during 
the transition from s to s' . We distinguish the following cases. 

(a) s.round(i) < r — 1. 

In this case I(s') follows trivially from L(s) since none of the conditions are affected. 

(b) s.round(i) = r — 1. 

Conditions 2 and 3 are not affected. If s' .round(i) = r — 1, then Condition I is not 
affected as well. Otherwise, s' .obsi = 0. Observe also that i j^ I. Thus, Condition I 
follows from Condition I for s and by Invariant 7.5. 
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(c) s.round(i) = r. 

If s' .round(i) = r, then Conditions 2 and 3 are not affected. For Condition 1, if 
s' .pc i = decide, then Condition I is not affected; otherwise, s' .value(i) = _L and 
s' .obsi = 0. Thus, Condition I follows from Condition I for s and from Condition 3. 
If s' .round(i) = r + 1, then Condition I and the transition relation of AP(v,r) 
ensure that s' .value(i) = v. Thus, Conditions 1, 2 and 3 are all preserved. 

(d) s.round(i) > r. 

From Condition 2 on s, either process i decides on v, or a new round is reached 
with preference v. In both cases Conditions 1, 2 and 3 are preserved. 

4. None of the previous cases hold. 

L(s') follows trivially from L(s) since none of the relevant state components change. ■ 

Finally, we can show that from T v the maximum round of the processes does not grow by more 
than 2 provided that the coin flipper at the maximum round always returns v. 

Invariant 7.7 Let a be an execution fragment of AH whose first state so is a state of T v . 
Let r = SQ.max-round. Suppose that a is (v,r)-global. Then, for each state of a, and for each 
process j , 

round(j) < r + 2. 

Proof. First observe that a satisfies the conditions of Invariant 7.6, which means that Invari- 
ant 7.6 is satisfied by all the states of a. 

All the cases for the proof are straightforward except for the case where a transition 
(s, checklj, s') occurs and s.round(j) = r + 2. In such case, from Condition 2 of Invariant 7.6, 
s.fill-agree(r + l,v)j. Since s.obsj = {I, . . .,n}, we derive that s.obs-agree(r + l,v), and thus 
process j sets pc • to decide without reaching round r + 3. Observe that check2j cannot occur 
when round(j) = r + 2 since in such case value(j) = _L and Invariant 7.6 would be violated. ■ 

Proposition 7.8 Let a be a fair execution fragment of AH whose first state so is a state 
of J- v . Let r = SQ.max-round. Suppose that a is responsive and (v,r)-global. Then in a a 
state from V is reached within two rounds. That is, a = a\ ~ a.^ where lstate(a\) £ V and 

4>MaxRo%nd{a\) < 2. 

Proof. Suppose that V is not reached in a. Then, by Lemma 7.2, some process eventually 
reaches round r + 3, contradicting Invariant 7.7. Therefore, in a a state from V is reached. 
Furthermore, by Invariant 7.7, a state from V is reached within two rounds. ■ 
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8 Probabilistic Progress Properties 

Suppose that each coin flipping protocol CF r satisfies the following properties. 

CI For each fair probabilistic execution fragment of CF r that starts with a reachable state 
of CF r , the probability of the execution fragments that are responsive is 1. 

C2 For each fair probabilistic execution of CF r , and each value v G {0, 1}, the probability 
of the executions that are responsive and v -global is at least p, where p is a real number 
such that < p < 1. 

In this section we show that under Conditions CI and C2 for every CF r , AH guarantees 
progress within expected 0(l/p) rounds. That is, we prove the following proposition. 

Proposition 8.1 If each coin flipping protocol CF r satisfies properties CI and C2, then in 
AH , starting from any state of TZ and under any fair scheduler, a state from V is reached 
within at most 0(l/p) expected rounds. 

Thus, we need to show only that it is possible to build distributed implementations of the coin 
flippers that satisfy CI and C2 with a suitable value for p. We build the implementations in 
Sections 9 and 10. 

Remark 8.1 Observe that property CI refers to probabilistic execution fragments, while 
Property C2 refers to probabilistic executions. This distinction is important. Property CI 
states that a coin flipper gives responses with probability 1 from any arbitrary point in its com- 
putation; Property C2 guarantees that with probability p a specific value is always returned, 
but only if we observe the coin flipper from the beginning. C2 is not true for an arbitrary 
probabilistic execution fragment: if we consider a fragment that begins in a state where two 
processes are about to return two different values, then all processes return the same value 
with probability 0. ■ 

We now turn to the proof of Proposition 8.1. The main statement that we use is 

p 

To prove Statement (15) we prove two intermediate statements: 

-n t Max Round _^ ^ -7— . . -7— . . -t"\ / -1 n \ 

It — ► J-Q U J-\ U V, (lo) 

and for each v G {0, 1}, 

p 
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The proofs of Statements (16) and (17) rely on Propositions 7.3 and 7.8 and on the probabilistic 
properties of the coin flipping protocols. In particular, the first statement relies on the fact 
that the coin flippers respond, which occurs with probability 1 (CI), and the second statement 
relies on the fact that some specific coin flipper always returns a specific value v, which is the 
case with probability at least p (C2). 

Proposition 8.2 Assuming that the coin flippers in AH satisfy CI, 

TZ ^-^r^Vi Uf UD. (18) 

Proof. Let if be a probabilistic execution fragment of AH that starts from a state of 1Z. Let 
be the set of executions of 0# where each invocation to any coin flipper on a non-failing port 
gets a response. By Proposition 7.3, in each execution of a state from J-'iUJ-'oUV is reached 
within one round. Thus, it is sufficient to show that Pff[0] = 1. Let, for each i > 1, © 8 be the 
set of executions of 0# where each invocation to CF{ on a non-failing port gets a response. 
Then = f\>i0 8 '. Observe that, by definition, © 8 is the inverse image under projection of the 
set of executions of £l H r CFt where each invocation on a non-failing port gets a response. From 
CI, for each i, PH\CF l [®i\CFi\ = 1, and thus, by Proposition 2.3, Pff[0 8 ] = 1. Therefore, 
Pfj[0] = 1 since any countable intersection of probability 1 events has probability 1. ■ 

Proposition 8.3 Assuming that the coin flippers in AH satisfy CI and C2, 

p ' 

Proof. Let if be a probabilistic execution fragment of AH that starts from a state so of 
J- v , and let r = SQ.max-round. Let be the set of executions of Q,jj where each invocation 
to any coin flipper on a non-failing port gets a response and where each response of CF r 
has value v. By Proposition 7.8, in each execution of a state from V is reached within 
two rounds. Thus, it is sufficient to show that Pff[0] > p. Let, for each i > 1, 8 - be the 
set of executions of 0# where each invocation to CF{ on a non-failing port gets a response. 
Furthermore, let Q' r be the set of executions of 0# where no response of CF r has value v. Then, 
= (f\>i© 8 ') fl Q' r . From CI, for each i, PH\CF l [®i\CFi\ = 1, and thus, by Proposition 2.3, 
Pff[© 8 '] = 1. Since so G T v and r = so.max-round, H\CF r is a probabilistic execution of CF r 
(the start state of H \CF r is a start state of CF r ), and thus property C2 can be applied. From 
C2, P H \CF r [®r\ CF r] > P, and tnus , b Y Proposition 2.3, P H [®' r ] > P- Therefore, P H [&] > P 
since any countable intersection of probability 1 events has probability 1 and the intersection 
of a probability 1 event with an event with probability p has probability at least p. ■ 

Proof of Proposition 8.1. By Proposition 2.8, Statements (16) and (17) can be combined 
to lead to Statement (15). 
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Since in AH 1Z is not left unless a state from V is reached, since each transition of AH 
increases (^MaxRound by at most 1, and since from fairness and CI some transition is scheduled 
with probability 1 from each state of 1Z, by Theorem 2.9 we derive that within at most expected 
4/p rounds a state from V is reached under any fair scheduler. ■ 

9 The Coin Flipping Protocol 

We are left to show that it is possible to build a distributed coin flipping protocol with the 
properties CI and C2 stated in Section 8, where by a distributed protocol we mean a protocol 
where processes interact through single-writer multiple-reader shared variables only. 

In this section we build an almost distributed version of the coin flipping protocol where 
processes interact through a multiple-writer multiple-reader shared register; in Section 10 we 
refine the protocol of this section to yield a distributed protocol. The protocol is based on 
random walks and satisfies properties CI and C2 with a sufficiently high probability p that is 
independent of n. 

9.1 The Code for the Protocol 

We represent the coin flipping protocol by letting an automaton DCN r (Distributed CoiN) 
interact with a centralized counter CT r (CounTer), that is, CF r = Hidei(DCN r \\ CT r ), 
where / is the set of actions used for the interaction between DCN r and CT r , and Hidej is 
an operator that transforms the actions of / from external to internal. Figure 3 shows the 
structure of the coin flipping protocol. In this Section, DCN r is distributed while CT r is 
composed of n processes that receive requests from DCN r and read/update a single shared 
variable: the details of the distributed implementation of a shared counter are not necessary 
for any properties of the coin flipping protocol. The distributed version of the shared counter 
is presented in Section 10. 

Since the protocols for DCN r and CT r are the same for any round r, we drop the subscript 
r from our notation. Table 3 gives the state variables of DCN; Table 4 gives the transition 
relation of DCN . Each process flips a fair coin to decide whether to increment or decrement 
the shared counter. Then the process reads the current value of the shared counter, and if the 
value read is beyond the barriers ±ii'n, where K is a fixed constant, then the process returns. 
The protocol described in Table 4 is slightly different from the protocol described in [5]: once 
a coin flip is requested, our protocol checks counter before flipping a coin, while the protocol 
of [5] starts immediately by flipping a coin. Our protocol improves the protocol of [5] in that 
properties CI and C2 are satisfied even in the presence of multiple requests on the same port. 
This improvement is not essential for the correctness of the protocol of [5], since the protocol 
guarantees that there is at most one request at each port; however, our improvement simplifies 
the proof slightly in that we do not have to prove explicitly that there is at most one request 
at each port. 
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Figure 3: The structure of the coin flipping protocol. 

Table 5 gives the state variables of the shared counter CT; Table 6 gives the actions and 
transition relation of CT. Informally, each process of CT receives requests that are han- 
dled by referring to a multiple- writer multiple-reader shared variable counter. Increment and 
decrement operations are performed by updating counter directly; read operations are imple- 
mented by first copying the value of counter to a multiple- writer single-reader variable preread 
and then, in a separate step, returning the value of preread to the environment. However, an 
update to counter may invalidate the value that a read operation is ready to return. This fact 
is expressed by the nondeterministic choice to reset any set of preread variables to _L whenever 
a process updates counter. Due to the way the preread variables are handled, the specification 
of CT states that an increment or decrement operation always completes unless the corre- 
sponding process fails, while a read operation is guaranteed to complete only if increments and 
decrements eventually cease. Essentially, our use of the preread variables is an abstraction of 
what the implementation of Section 10 actually does. 

We now proceed with the analysis of CF . In particular, we show that with probability 
1, all the invocations to CF on a non-failing port get an answer, and, for v G {0, 1}, with 
probability at least (K — 1)/2K all the answers are v. The analysis is split into two parts: the 
first part deals with non-probabilistic properties, while the second part deals with probability. 

9.2 Non-Probabilistic Analysis 

Let Acts be {fli Pl , . . .,flip n }, and let S be {( U[, Uf), ( U}, Uf), . . . , ( U l n , U%)}, where F] is the 
set of states of CF where process j has just flipped inc (fpc,: = inc), and Uf is the set of states 
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Name Values Initially 

Local state 

fpc {nil, flip, inc, wait-inc, dec, wait-dec, read- counter, wait-counter , nil 

compare, return-flip^, return-flip-^} 

stopped Bool false 

local-counter int 



Table 3: The state variables of a process i in DCN . 



of CF where process j has just flipped dec (fpc a = dec). 

Given a finite execution fragment a of CF, let (f>i nc (ot) be the number of coin flips in a 
that give inc, and let <^ ec (a) be the number of coin flips in a that give dec. Function (f>i nc 
and c/)dec correspond to functions HeadsActs,s an d TailsA c ts,s in Section 3.3; the difference 
4>inci a ) — 4>dec{ a ) corresponds to Diff Acts g(a). Given a state s of CF, let |s|,- nc be the number 
of processes in s whose program counter of either DCN or CT is inc, and let \s\d ec t> e the 
number of processes in s whose program counter of either DCN or CT is dec. Formally, let 
Si nc = {j | s.fpCj = inc V s.cpCj = inc}, the processes that are about to increment, and let 
S^ec = {j | s -fp c j = dec V s.cpCj = dec}, the processes that are about to decrement. Let 
|s|,- nc = \Si nc \ and \s\d ec = l^rfecl- The following lemma states how counter and the actual 
number of coin flips giving inc and dec are related. 

Lemma 9.1 Let a be a finite execution of CF, and let s = Istate(a). Then, 
<?W(a) - <?W(«) = s. counter + \s\ mc - \s\ dec . 

Proof. Straightforward induction on the length of a. ■ 

Given a state s, let Shelow (S above) be the set of processes in s that have a pending request 
and either are up to flipping an elementary coin or are up to detecting that counter is below 
(above) the barrier Kn ( — Kn). Let |s|j e / ow and |s| a j „ e denote the cardinality of Shelow an d 
S a i, ove , respectively. Formally, Shelow is the set of processes i such that either 

1. s.fpc t = flip, or 

2. s.fpc i = read-counter and s. counter < Kn, or 

3. s.fpc i = compare and s. local- counter i < Kn, or 
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Actions and transitions of process i. 



input start- flip(r), 

Eff: if fpc = nil A -^stopped then 
fpc <— read-counter 

output start-readi 

Pre: fpc = read-counter 
Eff: fpc <— wait-counter 

input end-read(c) t 

Eff: if fpc = wait-counter then 
local-counter <— c 
/pc <— compare 

internal compare l 

Pre: /pc = compare 
Eff: if local-counter > lira then 
/pc <— return-flip 1 
elseif local-counter < — Kn then 

/pc <— return-flip 
else 

/pc <- /lip 

output return- flip(v, r); 
Pre: /pc = return-flip v 
Eff: /pc 8 <— nil 



internal flip(r), 
Pre: /pc = /?ip 
Eff: Pr[/pc ^ inc] = 1/2 A 
Pr[/pc <- dec] = 1/2 

output start-inc t 
Pre: /pc = inc 
Eff: fpc <— wait-inc 

input end-inc t 

Eff: if /pc = wait-inc then 

/pc <— read-counter 

output start-deci 
Pre: /pc = dec 
Eff: /pc <— wait-dec 

input end-deci 

Eff: if fpc = wait-dec then 

/pc <— read-counter 

input sfop 8 

Eff: stopped <— frae 
/pc <— nil 



Tasks: The locally controlled actions of process i form a single task. 



Table 4: The actions and transition relation of DCN . 

4. s.cpc i = read-counter and either s.preread i < li'ra or s. counter < li'ra. 

Similarly, S a i, ove can be defined by replacing < li'ra with > —Kn. The following two lemmas 
state a key property for the analysis of the coin flipping protocol. We describe only Lemma 9.2 
since Lemma 9.3 is symmetric. Suppose that a state is reached where the value of counter 
minus the number of processes that either are up to decrementing counter or are up to detecting 
that counter is below Kn is at least Kn. Then Lemma 9.2 states that this property continues 
to remain valid in the future. Roughly speaking, each process that reads counter terminates 
(does not flip nor update counter any more) because it observes a value that is at least Kn. 

Lemma 9.2 The following property is stable for CF , that is, it continues to be satisfied once 
it is satisfied. 



s. counter - \s\ dec - \s\ be i ow > Kn. 



(20) 
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Name Values Initially 

Local state 

cpc {nil, wait, inc, end-inc, dec, end-dec, read-counter} wait 

stopped Bool false 



Multiple-writer multiple-reader shared variables 

counter int 



Multiple-writer single-reader shared variables (process i reads) 
preread(i) int U {_!_} _L 



Table 5: The state variables of a process i in CT. 

Proof. Straightforward inductive argument. ■ 

Lemma 9.3 The following property is stable for CF . 

s. counter + \s\ mc + \s\ above < -Kn. (21) 

Proof. Straightforward inductive argument. ■ 

A simple consequence of Lemmas 9.2 and 9.3 is that whenever the difference between the 
coin flips that give inc and the coin flips that give dec is beyond the barriers ±(K + l)n, the 
value of counter is always beyond ±Kn. 

Lemma 9.4 Let a = a\ ~ a.^ be an execution of CF such that (f>i nc (oti) — (/)dec( a i) = {K + l)ra. 
Then each state of ai satisfies counter > Kn. 

Proof. By Lemma 9.1, ^ mc («i) — (j)dec( a i) = s. counter + |s|,- nc — \s\d ec where s = lstate(a\) = 
fstate(a2), and thus s. counter + |s|m C — \ s \dec = {K-\- l)n. By a simple algebraic manipulation, 
s. counter - \s\ dec - \s\ be i ow = s. counter + \s\ mc - \s\ dec - (\s\ mc + \s\ ie i ow ). Observe that, by 
definition, Si nc fl Sb e i ow = 0, and therefore |s|,- nc + |s|j e /ow < n - This means that s. counter — 
\ s \dec — \ s \below ~>Kn. By Lemma 9.2, each state s' of a.^ satisfies s'. counter — \s'\ dec — \ s> \ below > 
Kn. Thus, each state of a.^ satisfies counter > Kn. ■ 
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Actions and transitions of process i. 

input start-inci 

Eff: if cpc = wait then 

cpc <— inc 

internal inc, 

Pre: cpc = inc 

Eff: counter <— counter + f 

Vjpreread(j) <— choose(preread(j), _L) 
cpc <— end-inc 

output end-inc t 

Pre: cpc = end-inc 
Eff: cpc <— waif 

input start-deci 

Eff: if cpc = waif then 

cpc <— dec 

internal rfec 8 

Pre: cpc = dec 

Eff: counter <— counter — 1 

Vjpreread(j) <— choose(preread(j), _L) 
cpc <— end-dec 



output end-deci 

Pre: cpc = end-dec 
Eff: cpc <— waif 

input start-readi 

Eff: if cpc = waif then 

cpc <— read-counter 

internal rearf 8 

Pre: cpc = read-counter 

preread(i) = _L 
Eff: preread(i) <— counter 

output end-read(c) t 

Pre: cpc = read-counter 

preread(i) = c ^ _L 
Eff: cpc <— waif 

preread(i) <— _L 

input sfop, 

Eff: stopped <— frae 
cpc <— n«7 



Tasks: The locally controlled actions of process i form a single task. 



Table 6: The actions and transition relation of CT. 



Lemma 9.5 Let a = a\^ a^ he an execution of CF such that 4>i 
Then each state of a.^ satisfies counter < —Kn. 



;(«i)-<?W(ai) 



(K + l)n. 



Proof. Symmetric to the proof of Lemma 9.4. ■ 

Lemma 9.6 Let a be an execution of CF, such that a £ Top[— (K — l)n, {K + l)ra, 0](H) for 
some probabilistic execution H of CF. Then a is 1 -global. 



Proof. Since a £ Top[— (K — l)n, {K + l)ra, 0](H ), either each prefix a' of a satisfies —(K — 
l)ra < 4>inc{ot') - (j)dec(a r ) < (K + l)ra, or a = a x " a 2 where <^ mc (ai) - (j)dec(ai) = (K + l)ra 
and no prefix a[ of a\ satisfies (f>i nc (a' 1 ) — (/)dec( a i) < — {K — l)n. 

Ln the first case, by Lemma 9.1, no state of a satisfies counter < —Kn. Ln the second case, 
by Lemma 9.1, no state of a\ satisfies counter < —Kn. Furthermore, by Lemma 9.4, each 
state of a.2 satisfies counter > Kn. Therefore, no state of a satisfies counter < —Kn. This 
means that in both cases no process returns value in a. ■ 
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Lemma 9.7 Let a be an execution of CF, such that a £ Bottom[— (K — l)n, (K + l)n,0](H) 
for some probabilistic execution H of CF. Then a is -global. 

Proof. Symmetric to the proof of Lemma 9.6. ■ 

Lemma 9.8 Let a be a fair execution of CF , such that a £ Either[— (ii' + l)n, (ii' + l)n, 0](H) 
for some probabilistic execution H of CF. Then a is responsive. 

Proof. If a contains finitely many flip actions, then eventually all the increment and decrement 
operations deriving from the flipping operations are completed or interrupted (the correspond- 
ing end-inc or end-dec actions occur or the corresponding processes fail). Thus, there is a 
point after which no more inc and dec operations are performed. Let a' be a suffix of a 
where no more flip, increment or decrement operations are performed. Then in a' none of the 
preread i variables is set to _L while action end-read(c)i is enabled, and thus all read operations 
on non-failing ports terminate eventually. At that point, since no more flips are performed in 
a' , each process that completes a read operation returns a value. 

If a contains infinitely many flip actions, then, since a £ Either[— (li' + l)ra, (li' + l)ra, 0](if), 
a = a\ ~ ci2 such that </> mc (ai) — (j)dec( a i) = ±(-K" + l)n. Here we consider the case where 
4>inci a i) — 4>dec{ a i) = {K + l)n; the other case is symmetric. By Lemma 9.4, each state of ai 
satisfies counter > Kn. Thus, each non-failing process returns a value once it reads counter 
(performing the read operation in CI2) since the value read is at least Kn. ■ 

Lemma 9.9 Let a be a fair execution of CF , such that a £ Top[— (K — l)ra, (K + l)ra, 0](H ) 
for some probabilistic execution H of CF. Then a is responsive and 1-global. 

Proof. By Lemma 9.8, each invocation on a non-failing port gets a response. By Lemma 9.6 
no invocation gets response 0. Hence, each invocation on a non-failing port gets response 1. ■ 

Lemma 9.10 Let a be a fair execution of CF, such that a £ Bottom[— (K — l)ra, (K + 
l)n,0](H) for some probabilistic execution H of CF. Then a is responsive and 0-global. 

Proof. Symmetric to the proof of Lemma 9.9. ■ 

9.3 Probabilistic Analysis 

In this short subsection we prove the probabilistic properties of the coin flipping protocol, that 
is, it guarantees properties CI (Proposition 9.11) and C2 (Proposition 9.12). The proofs rely 
on the non-probabilistic properties proved in Section 9.2 and on the coin lemmas for symmetric 
random walks of Section 3.3. 
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Proposition 9.11 The coin flipper CF satisfies CI. That is, for each fair probabilistic execu- 
tion fragment of CF that starts with a reachable state of CF , the probability of the executions 
that are responsive is 1. 

Proof. Let if be a fair probabilistic execution fragment of CF that starts with a reachable state 
s of CF, and let a be a finite execution of CF such that Istate(a) = s. Let z = <^,- nc (a) — <^ ec (a). 
If a' is an execution of the event Either[— (K -\-l)n, (K -\-l)n, z\(H), then a^ a' is an execution 
of Either[— (K — l)n, (K + l)n, 0](H' ) for some fair probabilistic execution H' of CF, and by 
Lemma 9.8, every invocation to CF in a ~ a' gets a response. From Definition 7.1, every 
invocation to CF in a' gets a response. By Theorem 3.11, Pff[Either[— (K + l)n,(K + 
l)ra,2;](if)] = 1. This completes the proof. ■ 

Proposition 9.12 The coin flipper CF satisfies C2 with p = (K + 1)/2K . That is, fixed 
v G {0, 1}, for each fair probabilistic execution of CF, the probability of the executions that are 
responsive and v-global is at least (K — 1)/2K . 

Proof. Assume that v = 1; the case for v = is symmetric. Let if be a fair probabilistic 
execution of CF. If a is an execution of Top[ — (K — l)ra, {K -\- l)n, 0](H), then, by Lemma 9.9, 
every invocation to CF in a gets response 1. Furthermore, by Theorem 3.11, Pff[Top[— (K — 
l)n, (K + l)n,0](H)] > (K - 1)/2K. This completes the proof. ■ 

10 Implementation of the Shared Counter 

In this section we build an implementation of CT and we show that it can replace the abstract 
automaton CT in CF without compromising Propositions 9.11 and 9.12, that is, properties 
CI and C2 with p = (K — 1)/2K . In this way, using the coin flipping protocol with the new 
counter, we obtain a protocol for consensus that uses only single- writer multiple-reader shared 
variables. 

The implementation of CT, which we denote by DCT (Distributed CounTer), is an adap- 
tation of an algorithm proposed by Lamport [12] for read/write registers. The state variable 
counter of CT is represented by n single- writer multiple-reader registers, one for each pro- 
cess, with two fields: a num field, which is incremented whenever the value of the register is 
changed, and a val field representing the contribution of the corresponding process to the value 
of counter. The operations inc and dec on a process i are implemented by incrementing or 
decrementing the val register and incrementing the num register of process i. The operation 
read-counter is implemented by scanning the shared registers until two consecutive scans give 
the same value. Table 7 gives the state variables of DCT; Table 8 gives the transition relation 
of DCT. 

We now verify that it is possible to replace DCT for CT in CF without compromising 
properties CI and C2. Let DCF (Distributed Coin Flipper) be defined as Hide i(DCN\\ DCT), 
where I is the set of actions used for the interaction between DCN and DCT . 
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Name 



Values 



Initially 



Local state 

cpc 

prescan 

first 

obs 

stopped 



{nil, wait, inc, end-inc, dec, end-dec, scan, read-counter} wait 

array [1 . . .n] of int X int array of (0,0) 

array [1 . . .n] of int X int array of (0,0) 

set of {1, . . ., n} 

Bool false 



Single-writer multiple-reader shared variables 

(num(i), val(i)) int X int 



(0,0) 



Table 7: The state variables of a process i in DCT. 



Observe that properties CI and C2 are properties of the fair trace distributions of CF 
and DCF. Specifically, observe that responsiveness and f-globality can be stated in terms of 
traces. Then, property CI can be stated as "in each fair trace distribution, the probability 
of the set of traces that are responsive is 1", and property C2 can be stated as: "in each 
fair trace distribution, the probability of the set of traces that are responsive and f-global is 
at least p". Thus, to show that DCF satisfies properties CI and C2 it is sufficient to show 
that ftdistrs(DCF) C ftdistrs(CF). For this purpose, by using Proposition 2.14, it is sufficient 
to build a refinement h from DCT to CT and show that h preserves the fair executions of 
DCT . Note that h is not probabilistic since DCT and CT are not probabilistic. That is, the 
properties that we need to show do not involve probability. 

Proposition 10.1 There is a refinement from DCT to CT that preserves the fair executions 
of DCT. 

Proof. The refinement keeps the preread variables different from _L whenever the first scan 
has occurred and no increment or decrement operations have done anything that would make 
the first and second scans differ. Formally, h(s) = s' where, for each process i, 



s .cpc i 



s .counter 



read-counter if s.cpc i = scan 
s.cpc i otherwise, 

3 
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Actions and transitions of process i. 

input start-inci 

Eff: if cpc = wait then 

cpc <— inc 

internal inc, 

Pre: cpc = inc 

Eff: val(i) <- val(i) + 1 

nurn(i) <— nurn(i) + f 

cpc <— end-inc 

output end-inc t 

Pre: cpc = end-inc 
Eff: cpc <— waif 

input start-deci 

Eff: if cpc = waif then 
cpc <— rfec 

internal rfec 8 

Pre: cpc = rfec 

Eff: val(i) <- val(i) - 1 

nurn(i) <— nurn(i) + f 

cpc <— end-dec 

output end-deci 

Pre: cpc = end-dec 
Eff: cpc <— waif 



input start-readi 

Eff: if cpc = waif then 
cpc <— scan 
ofcs <- 

internal scan(k), 
Pre: cpc = scan 

A; ^ obs 
Eff: scan[&] <— (counter(k), num(k)) 
obs <— ofcs U {A} 
if ofcs = {1, . . . , n} then 

if -ifirst A (prescan = scan) then 
/irst <— true 

counter <— X)?=i scara;[.7].uaZ 
cpc <— read-counter 
else 

prescan <— scan 
/irsf <— /alse 

output end-read(c) t 

Pre: cpc = read-counter 

c = X)?=i scara[.7].uaZ 
Eff: cpc <— waif 

input sfop 8 

Eff: stopped <— frae 
cpc <— n«7 



Tasks: The locally controlled actions of process i form a single task. 



Table 8: The actions and transition relation of DCT. 



s' .preread i 



_L 



if ->s. first j and c = ^ • s.prescan[j] 8 - 

and s.cpc i G {scan, read-counter} 

and Vj(j G o&s; =>■ prescan[j]i = scan[j]i) 

and Vj(j ^ o6s 8 - =>■ prescan[j]i = (val(j), num(j))) 

otherwise. 



It is straightforward to check that h is a refinement mapping. 

Consider now a fair execution a\ of DCT . From the execution correspondence theorem 
there is an execution a.^ of CT such that (ai, CI2) G /&. Suppose by contradiction that a.^ is not 
fair. Then in a.^ there is a process i whose corresponding task is eventually continuously enabled 
but never performed. Observe that h~ x preserves the enabledness of each task of CT, and that 
in DCT it is not possible that for some task T there is an execution fragment with infinitely 
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many internal actions from T and no external action from T. Thus, since (01,02) G h, 
eventually in a\ the task of process i is continuously enabled but never performed. This means 
that a\ is not fair, a contradiction. ■ 

Theorem 10.2 The coin flipper DCF satisfies properties CI and C2 with p = (K — 1)/2K. 

Proof. By Proposition 10.1, there is a refinement from DCT to CT that preserves the fair 
executions of DCT. By Proposition 2.14, ftdistrs(DCF) C ftdistrs(CF). This completes the 
proof. ■ 



11 Summing Up 

In this section we paste together the results of the previous sections to derive an upper bound 
on the expected number of rounds for termination. 

Theorem 11.1 Using the coin flippers of Sections 9 and 10, AH guarantees wait-free termi- 
nation within a constant expected number of rounds, that is, from each reachable state of AH , 
under any fair scheduler, a state of V is reached within a constant expected number of rounds. 

Proof. The coin flippers DCF of Sections 9 and 10 satisfy properties CI and C2 with 
p = (K — 1)/2K, where K is a constant (cf. Theorem 10.2 and Propositions 9.11 and 9.12). By 
Proposition 8.1, AH guarantees wait-free termination within at most 0(2K/(K — 1)) expected 
rounds, that is, within a constant expected number of rounds. ■ 

We analyze some implications of Theorem 11.1. In particular, the definition of V may 
appear rather counterintuitive, since reaching V does not necessarily mean deciding: it is 
possible to reach V by letting processes fail. However, Theorem 11.1 gives enough information 
to derive several different termination properties as the following corollary shows. 

Corollary 11.2 Let H be a fair probabilistic execution fragment of AH , and suppose that H 
starts from a reachable state s of AH . Then the following properties are satisfied by H . 

1. If in s all processes are initialized already, then within a constant expected number of 
rounds all non-failing processes decide. 

2. If in s there is at least one initialized and non-failed process, and if no new processes fail 
in H , then a decision is reached within a constant expected number of rounds. 

Proof. To reach V all initialized processes must either fail or decide. In the first case, since 
V is reached, all non-failed processes have decided. In the second case, since there is at least 
a non-failed initialized process, and since such process does not fail, such process decides. ■ 
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12 Timing Analysis of the Algorithm 

In this section we prove an upper bound on the expected time it takes for all processes to 
terminate, starting from an arbitrary reachable state, once all processes have some minimum 
speed. For this purpose we augment the I/O automata of the previous sections paper so that 
time can be observed. Our augmentation resembles the patient construction of [10] and pro- 
duces another probabilistic I/O automaton. Note that we cannot regard the augmentation we 
present in this paper as the definition of a general timed probabilistic model. Our augmen- 
tation is the minimum machinery that is necessary for the time analysis of an asynchronous 
algorithm. 

12.1 Modeling Time 

In order to model time we add a special component .now to the states of all our probabilistic 
I/O automata, and we add the set of positive real numbers to the input actions of all our prob- 
abilistic I/O automata. We call the new actions time-passage actions. The .now component 
is a nonnegative real number and describes the current time of an automaton. At the begin- 
ning (i.e., in the start states) the current time is 0, and thus the .now component is 0. The 
occurrence of an action d, where d is a positive real number, increments the .now component 
by d and leaves the rest of the state unchanged. Thus, the occurrence of an action d models 
the fact that d time units are elapsing. The amount of time elapsed since the beginning of an 
execution is recorded in the .now component. Since time-passage actions must synchronize in 
a parallel composition context, parallel composition ensures that the .now components of the 
components are always equal. Thus, we can abuse notation and talk about the .now compo- 
nent of the composition of two automata while we refer to the .now component of one of the 
components. Observe that our augmented probabilistic I/O automata are still probabilistic 
I/O automata. 

For any probabilistic I/O automaton augmented with time we define a new complexity 
measure (f> t as follows: 

(f>t(a) = lstate(a).now — fstate(a).now. 

It is straightforward to check that (f> t is a complexity measure. Informally, (f> t measures the 
time that elapses during an execution. We say that an execution fragment a of a probabilistic 
automaton M is well-timed if there is no task T of M and no decomposition a\ ~ a.^ ~ «3 of a 
such that (f> t (ot2) > 1, all the states of a.^ enable T, and no action from T occurs in a^. That 
is, a is well-timed if each task does not remain enabled for more than one time unit without 
being performed. 

All the properties that we have studied in the previous sections are still valid for our 
augmented automata, since they are not affected by the presence of the .now component 
and of the new input actions. It is simple to observe that if we remove the time-passage 
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transitions from a fair execution of an augmented automaton we obtain a fair execution of the 
non-augmented automaton. 

In the rest of this section we strengthen the properties of the previous sections by showing 
that, under the assumption of well-timedness, the algorithm of Aspnes and Herlihy terminates 
within an expected polynomial time. That is, if from a certain point each processor has some 
minimum speed, then the algorithm of Aspnes and Herlihy guarantees termination within an 
expected polynomial time. 

12.2 Preliminary Definitions 

Before presenting the timing analysis we give some preliminary definitions. Recall that, for 
each r > 0, DCF r denotes Eidei(DCN r \\ DCT r ), where / is the set of actions used for the 
interaction between DCN r and DCT r . That is, DCF r is the result of substituting DCT r 
for CT r in CF r . Let DAE (Distributed Aspnes-Herlihy) denote AP \\ (Wr^DCFr). For an 
execution fragment a of DCF r or of DAE , let (f>fli Pt r( a ) be the number of flip events of DCF r 
that occur in a, and let (f>id, r ( a ) be the number of inc and dec events of DCF r that occur 
in a. For each execution fragment a of DAE let <^(a) denote the number of inc and dec 
events that occur in a. It is straightforward to check that <$>fn v;r , (f>id,r an d 4>a are complexity 
measures. Observe that the following trivial result holds. 

Lemma 12.1 For each execution fragment a of DAE , 

1. (j)id{oi) = Er>ofe,r( a ); and 

2. for each r > 0, 4>id,r(ot) = (f> idtr (a\DCF r ). ■ 

12.3 Non-Probabilistic Properties of the Complexity Measures 

In this section we study the relationship between the complexity measures 4 , t,4'idi ( l ) flip> ( l ) id,ri 
and (f>fli Pt r defined above. The first significant result of this section, Lemma 12.4, provides 
a linear upper bound on the time it takes for DAE to span a given number of rounds and 
to flip a given number of coins under the assumption of well-timedness. We first prove a 
preliminary lemma, which provides a linear upper bound on the time a coin flipping protocol 
is active without any inc, dec, return-flip or stop action occurring. The preliminary lemma is 
first proved for a coin flipping protocol (cf. Lemma 12.2), and then proved for a coin flipping 
protocol within DAE. 

Lemma 12.2 Let a be a fair, well-timed execution fragment of DCF r , r > 0. Suppose that 
in fstate(a) there is at least one non-failed process with a pending start-flip(r) request. Then 
in a there is an occurrence of an action from {inc, dec, return-flip, stop} within time 0(n). 
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Proof. Let X be {inc, dec, return- flip, stop}. Let i be a non-failed process with a pending 
start-flip(r) request in fstate(a), and suppose for the sake of contradiction that in a there is no 
occurrence of actions from X within time 3ra + d, where d is a sufficiently large constant. From 
the code of DCF r , process i runs through a cycle where a read request is performed and an 
action from {inc, dec, return-flip} occurs unless process i fails (action stop) occurs. Thus, one 
action from X occurs before completing a cycle. The maximum time necessary to complete 
a cycle is given by the time to complete a read request plus the time to check the result and 
perform the corresponding operations. The constant d accounts for the time necessary to 
complete all the operations except for the read request. Since no action from X occurs within 
time 3n + d, a read request completes within time at most 3ra: in fact, within 3 scans of process 
i there are two consecutive scans that give the same result. Thus, within time 3ra + d process 
i completes a cycle, which means that an action from X occurs, a contradiction. ■ 

Lemma 12.3 Let a be a fair, well-timed execution fragment of BAH , and let r > 0. Suppose 
that in fstate(a)\DCF r there is at least one non-failed process with a pending start-flip(r) 
request. Then in a there is an occurrence of an action from {inc, dec, return-flip, stop} within 
time 0(n). 

Proof. Let X be {inc, dec, return-flip, stop}. By Lemma f2.2 in a\DCF r there is an occur- 
rence of an action from X within time c\n + ci for appropriate constants c\ and ci- That 
is, a\DCF r = a\^ ai such that (f> t (oti) < c\n + ci and an action from X occurs in a.\. 
Let a[ be a prefix of a such that a\ = a'^DCF,,.. Then, from the definition of projection, 
an action from X occurs in a[, and from the definition of .now within parallel composition, 
^> t (o^) = (j)t(ai) < c\n-\-C2- This means that in a an action from X occurs within time c\n-\-C2- 



Lemma 12.4 Let a be a well-timed execution fragment of BAH , and let R = fstate(a) .max-round . 
Suppose that all the states of a, with the possible exception of Istate(a) are active, that is, are 
states of 1Z. Then, 4>t{a) < din 2 (cj)MaxRound( a ) + R) + din^^a) + d%n 2 for some constants 
d\, di, and d^. 

Proof. At each round each process performs a linear number of transitions outside the coin 
flipping protocol using time at most cya for some constant c\. Divide a into two kinds of execu- 
tion fragments: those where some active process is outside the coin flipping protocols, and those 
where no active process is outside the coin flipping protocols. The total time complexity of the 
first kind of execution fragments is upper bounded by c\n 2 ((f>MaxRound( a ) + R), corresponding 
to the case where at each time there is exactly one process outside the coin flipping protocols. 
Consider now the second kind of execution fragments. Since each process returns at most once 
in each round and fails at most once overall, there are at most 4>id{a) -\- n(4> MaxRound{ a ) + Fl) -\- n 
events inc, dec, return-flip and stop in a. By Lemma L2.3, whenever some process is flipping, 
the maximum distance between two events of the kind inc, dec, return-flip, and stop is linear. 
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Thus, the maximum time where some process is flipping in a (the time complexity of the 
second kind of execution fragments) is at most c[n 2 ''((/) Max Round ( a ) + R) + c 2 n 4>id( a ) + c 3 n2 f° r 
some constants c[, c 2 , and c 3 . Combining the two results, the time that elapses in a is at most 
din 2 ((j)Ma X Round(a) + R) + d 2 n(f>i d (a) + d 3 n 2 , where d 1 = c 1 + c[, d 2 = c 2 , and d 3 = c 3 . ■ 

The next two lemmas state basic properties of the coin flipping protocols. Lemma 12.5 
derives from the fact that all the processes within a coin flipping protocol terminate once 
the shared counter reaches an absorbing barrier (K + l)ra or —(K + l)ra. Essentially, once 
an absorbing barrier is reached, there are at most other n flip events, one for each process. 
Lemma 12.6 derives from the fact that each inc or dec event must be preceded by a flip event. 
If we start from an arbitrary reachable state, there could be some inc and dec events that 
occur without any preceding flip event. However, the number of anomalous inc and dec events 
is at most n, that is, one for each process. 

Lemma 12.5 Let a = a\ ~ a 2 be a finite execution of DCF r , and suppose that \4>i nc {ai) — 
<?W(«i)| > (K + l)n. Then 4>fli v , r (oL 2 ) < n. 

Proof. We consider the case where (f>i nc (oti) — (f>dec( a i) ^ (K + l)ra. The other case is 
symmetric. By Lemma 9.4, each state of a 2 satisfies counter > Kn, and thus each non-failing 
process returns 1 once it reads counter (performing the read operation in a 2 ) and checks its 
value. Each process can flip at most once in a 2 before starting a new read operation. Thus, 
the number of flip events that occur in a 2 is bound by n. ■ 

Lemma 12.6 Let a be a finite execution fragment of DCF r that starts from a reachable state. 
Then, (f> l d,r{ a ) < 4>fliv,r{°) + n - 

Proof. Ln fstate(a) there are at most n increment or decrement events that can be performed 
without first flipping a coin. ■ 

12.4 Expected Bound on Increment and Decrement Events 

Ln this section we show an upper bound on the expected number of increment and decrement 
events that occur within a probabilistic execution of DAH . First, based on our results on 
random walks (cf. Proposition 3.12), we show in Lemma 12.7 an upper bound on the expected 
number of coin flips performed by a coin flipper. Then, in Lemma 12.8 we use this result to- 
gether with our results about linear combinations of complexity measures (cf. Proposition 2.4) 
to derive an upper bound on the expected number of increment and decrement events per- 
formed by a coin flipper. Then, in Lemma 12.9 we use our compositionality results about 
complexity measures (cf. Proposition 2.6) to show that the bound of Lemma 12.8 is preserved 
by parallel composition. Finally, in Lemma 12.10 we use our result about phases of computa- 
tions (cf. Proposition 2.5) to combine the result about the expected number of increment and 
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decrement events of a coin flipper with our knowledge of the maximum expected number of 
coin flippers that may be invoked. This allows us to derive an upper bound on the expected 
total number of increment and decrement events during the consensus protocol. 

Lemma 12.7 Let H be a probabilistic execution fragment of DCF r that starts from a reachable 
state of DCF r , and let © be a full cut of H . Then E^ r [S, ©] < (K + f 



\2^2 



n + n. 



Proof. Let s be the start state of H , and let a be a finite execution of BCF r with s = 
Istate(a). Let z = 4>i nc {a) — 4>deci a )- If \ z \ > (K + l)n, then, by Lemma 12.5, for each 
q G 0, <f>flip,r(q) < ra ? an( i thus E^ r [S, 0] < n. If \z\ < (K + l)ra, then, by Proposition 3.12, 
E^ ActSt _ (K+1)nt(K+1)n jH, ©] < -z 2 + (K + l) 2 n 2 < (K + l) 2 n 2 , that is, the event denoted by 
is satisfied within expected (K -\- l) 2 ra 2 flip events, truncating the count whenever an absorbing 
barrier ±(ii' + l)ra is reached. Once an absorbing barrier is reached, by Lemma 12.5 there are at 
most n other flip events. Thus, for each state q of H , (f>fli Pt r((l) ^ 4> Acts ,-(K+i)n,(K+i)n,z{q) + n - 
By Proposition 2.4, E^^H,®} <(# + !"" 



) 2 ra 2 + n. 



Lemma 12.8 Let H be a probabilistic execution fragment of DCF r that starts from a reachable 
state of DCF r , and let be a full cut of H. Then E^^H, 0] < (K + l) 2 n 2 + 2ra. 

Proof. By Lemma 12.6, for each execution fragment of a of CF r , (f>id, r ( a ) ^ <f>flip,r( a ) + n - 
Then, by Proposition 2.4, E^ ir [H,Q] < E^ r [H,Q] + n. By Lemma 12.7, E^J^H,®] < 
(K + l) 2 n 2 + n. Thus, E$ ii>T [H, 0] < (K + lfn 2 + In. ■ 

Lemma 12.9 Let H be a probabilistic execution fragment of BALI that starts from a reachable 
state of DAH, and let be a full cut of H . Then E^^H, 0] < (K + \) 2 n 2 + 2ra. 

Proof. Since H \DCF r is a probabilistic execution fragment of DCF r that starts from a 
reachable state of DCF r , by Lemma 12.8, E 4>titr [H\DCF r , &} < {K + lfn 2 + 2ra for each full 
cut 0' of H\DCF r . By Proposition 2.6, since by Lemma 12.1 for each execution fragment a 
of AH, <f> id ,r(a) = <t> idjr (a\DCF r ), E^ i>T [H, 0] < (K + l) 2 n 2 + In. ■ 

Lemma 12.10 Let H be a probabilistic fair execution fragment of BAH with start state s, 
and let R = s.max-round. Suppose that s is reachable. Let denote the set of minimal states 
of H where a state from V is reached. Then E^ ti \H, 0] = 0{Rn 2 ). 

Proof. Lf R = 0, then = {s}, and thus E^ id [H,(d} = = 0(Rn 2 ). For the rest of the 
proof assume that R > 0. Given a state q of H , we know that 4>id{q) = (f>id,i(q) + • • • + 
4>id,R.{q) + 4>'{q)i where (f>'(q) = ^ r >o ^id^+Riq)- For each r > 0, let r be the set of minimal 
states q of H such that (f>MaxRov,nd(q) ^ r - Then, for each q £ r , 4>id )T +R{q) = 0, and 
for each state q of H and each r > (f>MaxRov,nd(q), ^id^+Riq) = (GF r+ R does not start 
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until some process reaches round r + R). Furthermore, by Lemma 12.9, there is a constant 
c = (K + l) 2 ra 2 + 2ra such that for each probabilistic execution fragment H' of M, each full 
cut 0' of H', and each i > 0, E^ ti t [H', ©'] < c. Therefore, we are in the conditions to apply 
our result about phases of computation (cf. Proposition 2.5): each round is a phase, and the 
numbers of inc and dec events that occur within each round are the complexity measures for 
their corresponding round. Function (^MaxRound is the measure of how many phases are started. 
By Proposition 2.5, Ep[H, 0] < cE^^^H, 0]. By Theorem 11.1, E^^^H, 0] is bound 
by a constant (independent of n). Therefore, E^i\H,Qi\ = 0(n 2 ). Finally, since for each i,H, 
and 0, E 4>titi [H, 0] = 0(n 2 ), by Proposition 2.4, E 4>ti [H, 0] = 0{Rn 2 ) + 0{n 2 ) = 0{Rn 2 ). ■ 

12.5 Expected Bound on Time 

We are now ready to prove our main result, which is just a pasting together of the results 
obtained so far. Specifically, we show that starting from any reachable state of DAH , assum- 
ing well-timedness, a state from V is reached within expected time 0(Rn 3 ), where R is the 
maximum round of the processes at the starting state. Our result about reaching V implies 
directly several results about the termination properties of the consensus protocol of Aspnes 
and Herlihy (cf. Corollary 12.12). 

Theorem 12.11 Let H be a probabilistic fair, well-timed execution fragment of DAH with 
start state s, and let R = s.max-round. Suppose that s is reachable. Let denote the set of 
minimal states of H where a state from V is reached. Then E$ t \H, 0] = 0(Rn 3 ). 

Proof. If R = 0, then = {s}, and thus E^ t [H,&\ = = 0(Rn 3 ). If R > 0, then, by 
Lemma 12.4, for each well-timed execution fragment a of DAH , 

4> t (a) < dx^i^MaxRonndia) + R) + d 2 n<f> id (a) + d 3 n 2 . 

By Proposition 2.4, 

E^ t [H, ©] < d in 2 E^ MaxRoa jH, 0] + d x n 2 R + d 2 nE^ d [H, 0] + d 3 n 2 . 

Thus, by Theorem 11.1 and Lemma 12.10, E^ t [H, 0] = 0(Rn 3 ). ■ 

Theorem 12.11 gives enough information to derive some time bounds for DAH . Here we 
give some examples. The first item says that whenever all processes are initialized already all 
non-failing processes decide within expected time 0(Rn 3 ), where R is the number of rounds 
that are started already. That is, the algorithm has to work for an expected cubic time for 
each one of the rounds that are started already. The second item says that if we know that at 
least one of the initialized processes will not fail, then some process decides within expected 
time 0{Rn 3 ). The third item is an instantiation of the first item saying that all non-failing 
processes decide within cubic time if at the beginning all processes are initialized and the 
maximum round number is 1. 
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Corollary 12.12 Let H be a fair, well-timed probabilistic execution fragment of DAH that 
starts from a reachable state s of DAH . The following properties are satisfied by H . 

1. If in s all processes are initialized already and R is the maximum round of the processes, 
then within expected time 0(Rn 3 ) all non-failing processes decide. 

2. If in s there is at least one initialized and non-failed process, the maximum round number 
is R, and no new process fails, then within expected time 0(Rn 3 ) some process decides. 

3. If in s all processes are initialized and the maximum round is 1, then within expected 
time 0(n 3 ) all non-failing processes decide. 

Proof. Item 1 follows from Theorem 12.11 and from the fact that at to reach V each process 
must either fail or decide; Item 2 follows from the fact that to reach V all active processes 
must decide; Item 3 is an instantiation of Item 1. ■ 



13 Concluding Remarks 

We have studied the expected complexity of the randomized consensus algorithm of Aspnes 
and Herlihy, a highly nontrivial randomized distributed algorithm, and we have developed a 
collection of mathematical tools that can be used for the analysis of other algorithms as well. 
Our analysis of the algorithm was driven by two main ideas: decompose the algorithm into 
simpler parts and separate probability from nondeterminism. The collection of modularization 
tools that we have developed and their successful application show that the analysis of ran- 
domized distributed algorithms is indeed feasible and not too difficult. Most of our analysis is 
essentially the same as the analysis of an ordinary distributed, non-randomized, algorithm. 

It is useful to observe the kinds of modularization that we have used and where we have 
used them. For each kind of modularization we provide a breif description and references to 
the places in the paper where the modularization results are stated and used, respectively. 



• 



Decomposition of a partial progress statement into more statements: progress is achieved 
through several small easy steps (Proposition 2.8 used in Proposition 8.1). 



• Derivation of expected complexity bounds from partial progress statements: an infinitary 
property is analyzed by means of some finite form of progress (Theorem 2.9 used in 
Proposition 8.1). 



• 



Modularity of probability spaces with respect to parallel composition (Proposition 2.3 
used in Propositions 8.2 and 8.3). 



• Coin lemmas and related results to reduce probability to nondeterminism (Theorems 3.5 
and 3.7 used in Propositions 9.11 and 9.12 and in Lemma 12.7). 
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• Transformation of relations between complexity measures into relations between expected 
complexities. We analyze the complexity of an ordinary execution and we study the 
relationship between different complexity measures at the level of executions. Then, we 
transfer the results to probabilistic executions and expected values. (Proposition 2.4 used 
in Lemmas 12.8 and 12.10 and in Theorem 12.11). 

• Analysis of computations divided into phases (Proposition 2.5 used in Lemma 12.10). 

• Preservation of expected complexity bounds under parallel composition (Proposition 2.6 
used in Lemma 12.9). 

• Refinement mappings and related compositionality results (Propositions 2.10, 2.11, and 2.14 
used in Theorem 10.2). 

If we compare the length of our analysis with the length of the original paper of Aspnes and 
Herlihy, we observe that the two lengths are similar. The length of our analysis is double the 
length of the analysis in [5]; however, our analysis includes a timing analysis of the protocol, 
which was not present in [5], and it includes all the details, many of which were not considered 
in the analysis of [5]. Also, our proof would be considerably shorter if we had not included 
the detailed invariants and their proofs. These details are usually not included in algorithm 
papers. 

Although we think it is acceptable that low-level details of a proof be omitted in an algo- 
rithm paper, we believe that a high level proof should be rigorous enough to avoid the subtleties 
of randomization, which are due mainly to the interplay between probability and nondeter- 
minism. Intuition often fails when dealing with randomization in a distributed setting. The 
results that we have presented in this paper provide criteria that allow us to avoid becoming 
confused by the subtleties of randomization. We have analyzed a complicated algorithm in 
order to ensure that our results are applicable to realistic randomized distributed protocols 
(not just toy examples), and in order to increase the chance that our results will apply to a 
wide range of protocols. 
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